A few years ago, i had a task to implement a webservice of an insurance-company into our .NET Development.

The security requirements of this insurance-company webservice were top notch.
As a client you had to build a request that used a negotiated certificate, canonical header structures, security timestamp, a secret token in header, ...

To configure all this stuff via web.config WCF was pure pain in the ass.

After many phonecalls and emails, i finally managed to meet all security requirements to send a valid request.

First, i didn't recognized my breakthrough, because my client still had thrown exceptions while calling the insurance-webservice.

Why was that?

The exception told me on the most possible gentle way, that .Net isn't able to process an unsecured response, when there was a secured request before.

So there was top notch security for requesting, but dumbass unsecured responding with all the precious customer information.

*epicfacepalmnuclearexplosionfollowing*

I even had to raise the. Net Version of our. Net client, because i wasn't able to configure that it is allowed to process an unsecured response after using a secured request.

Whyyyyyyy?!!?!!1el even!?!