5.1 Security Considerations for Implementers

If the context information in the HTTP Message and SOAP Headers is not secured, it can be intercepted, tampered with, and sent to the server with malicious intent. The following mechanisms are recommended to make sure that the context information is not tampered while in transit:

  1. While using the .NET Context Exchange Protocol over HTTP 1.1 [RFC2616], send HTTP Client Message Headers and HTTP Server Message Headers over a secure channel using the Transport Layer Security Protocol [RFC4346].

  2. While using the .NET Context Exchange protocol over SOAP, send the CONTEXT_XML and CALLBACK_CONTEXT_XML SOAP Headers over a secure channel using the Transport Layer Security Protocol [RFC4346] or secured using WS-* security mechanisms, such as [WSS1].