There are four different security header layout that can be specified in WCF. The values are defined in WS-SecurityPolicy. They are,

  • Strict - All security tokens are defined in the security header before its first use. The primary signature should be specified before any endorsing signatures.
  • Lax - All elements inside the security header can appear in any order.
  • LaxWithTimestampFirst - Timestamp element should be the first element that appears inside the security header. All other elements can appear in any order.
  • LaxWithTimestampLast - Timestamp element should be the last element inside the security header.

WCF provides a way to specify the security header layout using a switch on the security binding element called securityHeaderLayout.

Strict is the default mode in WCF. Lax mode can be slower in rejecting invalid messages as most of the validations are done after the security header is consumed. LaxWithTimestampLast serves the least purpose among the different header layouts but is defined for Interop reasons.

So what should you use? Lax is predominantly used when incoming message can be generated by different stacks. If all your messages are from WCF then using the default of Strict gives the maximum benefit.