I think my question is a simple one. Is it possible for a web client to discover what methods are available from a particular WCF service (by way of http://the.web.server/SomeWCFService.svc)?
This is not something that we're trying to do but rather we're trying to discover how vulnerable our services are and we're looking into ways to make them a little more secure.
Thanks in advance.
The following MSDN article should address your concern, as it clearly states that a client must have prior knowledge of the service address prior to discovery. (The article then discusses how you could enable dynamic discovery, which does not seem like what you want):
"All the Windows Communication Foundation (WCF) calls possible with the Microsoft .NET Framework 3.5 share two constraints. First, the port or pipe assigned to the service must be available. The application developer or administrator literally has to guess or have some way of reserving them. Second, the client must apriori know the address of the service endpoints, both the port number and the service machine, or the pipe name."