We're trying to harden a WCF service that we use with an XBAP application and have some questions that we haven't been able to answer yet.
To give some background: The communication between the application and service is over HTTPS. The user is authenticated using username/password. The data being sent/received is compressed (gzip) binary. We're using UserNameOverTransport security. Our application is the only one that can access the service (unless it's hacked of course).
Is input validation important? Is it possible to do schema validation on the service side when the data is sent in binary?
Is WCF vulnerable to cross site scripting in a scenario like this? If so, are there any documents out there on securing WCF against XSS?
Do you have any other recommendations for securing WCF? I'm currently looking through Lowy's section on WCF security to see if we're missing anything important.