Transport Level Security Vs Message Level Security in WCF

By | September 17, 2014

Core security concepts supported by WCF – Windows Communication Foundation are Confidentiality, Integrity, Auditing, Authentication and Authorization. In Windows Communication Foundation, security can be configured at two different levels:Transport Vs Message Level Security in WCF

  • Transport Level Security
    It secures the actual transport (i.e. the pipe) over which the message passes through from client to a service. For example it uses SSL (Secure Socket Layer) to ensure point-to-point protection.
  • Message Level Security
    It secures the message itself that is being transported from client to a service and vice versa.

In this WCF Tutorial, we will dive deeper to understand the difference between Transport Level Security and Message Level Security in WCF (Windows Communication Foundation).

Recommended Scenarios for Transport and Message Level Security:

Transport Level Security doesn’t support scenarios when Intermediaries involved. It only support sending a message directly from client to WCF Service without an intermediate system. It’s suited when both client and service resides on same intranet.

On the other hand, actual message is secured in Message Level Security, it support intermediaries. No problem at all in scenarios even if message routed through multiple intermediate systems.
Below you can find advantages/disadvantages for both these security levels that will help to understand  the difference between Transport Level Security and Message Level Security.

Transport Level Security

Message Level Security

  • As Transport Level Security secures the network protocol, so no extra coding required.
  • As client and service doesn’t need to understand WS-Security specification results support for interoperability.
  • Improved performance can be achieved by using hardware accelerators.
  • As the message is secured (signed and encrypted) while transmitting through the network, any intermediate hop in the network has no impact on security.
  • Being transport-independent, it can support multiple transport options.
  • Supports wide range of security options, even we can implement custom security.
  • Lacks support for intermediate systems because it’s point to point and protects the “pipe” between a single client and a service.
  • Security options are comparatively less due to protocol security limitations.
  • Every individual Message is secured means there is a cost to encrypt a message at one side and decrypt on the other resulting in reduced performance.
  • Lacks Interoperability. It demands both client and service should support WS-Security specification, so no support for applications developed in older technologies like ASMX.

Other Related Articles:

Top 10 Interview Questions and Answers Series:

Category: Uncategorized


Imran Abdul Ghani is working as Software Developer(Senior) with extensive knowledge in Web development technologies especially C#, ASP.NET, MVC, WCF, Web API, ADO.NET Entity Framework, jQuery etc. He has several years of experience in designing/developing enterprise level applications. He is Microsoft Certified Solution Developer for .NET (MCSD.NET) since 2005. You can reach his blogging at,, and