WCF Security Modes

WCF supports three types of Security. They are,

  • Transport Security

  • Mixed-Mode Security

  • Message Security

Let’s discuss the various Security Modes below. 

Transport Security is applied at the transport byte stream below the message layer. The message does not have a Security header and the message does not carry any user authentication data. It is the least flexible in terms of WS-Security usage and it is highly dependent on the transport. It is the fastest in terms of performance.

Message Security is applied at the message layer and it is transport independent. It is a point to point security model with maximum flexibility in terms of having the message routed over different transports. WS-Security defines different ways to secure a message and the tokens that can be used. Message Security provides the maximum flexibility in terms of that as well. Message Security is slowest in terms of performance.

Mixed-Mode Security is a hybrid between Transport and Message Security. The transport is encrypted and the message contains some user authentication tokens. If the token can provide a key (i.e., it is not a username/password token) then it will sign the timestamp in the security header. If the client token is a Asymmetric token then the ‘To’ header will be signed as well. It is faster than Message Security.

Comments (5)

  1. When you are using a X.509 Certificate as the client authentication token in Mixed-Mode Security – apart

  2. Also check out my article ‘Levels of Security in Windows Communication Foundation’:


  3. leo2 says:


    As per my understanding,following types of security are provided in wcf






    You have mentioned only three types of security modes.Can you clarify on which mode out of the above 5 are you referring to in mixed mode.

    Also which one of these are the fastest.



  4. govindr says:

    Hi Rajiv,

      The 4 you have is the same as 3. The 5 you have pointed out is the same as 1, just pure transport security, right?


  5. Comment says:

    javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("ctl00$content$ctl00$fragment_32172$ctl01$ctl00$ctl00$ctl05$bpCommentForm$ctl05$btnSubmit", "", true, "BlogPostCommentForm-ctl00_content_ctl00_fragment_32172_ctl01_ctl00", "", false, true))