The message contract may indicate whether the message headers and / or text should be digitally signed and encrypted.
This is done by setting the System.ServiceModel.MessageContractMemberAttribute.ProtectionLevel property in the MessageHeaderAttribute and MessageBodyMemberAttribute attributes. The property is an enumeration of the System.Net.Security.ProtectionLevel type and can be set to None (without encryption or signature), Sign (only for digital signature) or EncryptAndSign (both encryption and digital signature). The default is EncryptAndSign.
For these security features to work, you must configure the binding and behavior correctly. If you use these security features without proper configuration (for example, when you try to sign a message without providing your credentials), an exception is thrown during the scan.
For message headers, the protection level is determined individually for each header.
For parts of the message body, the protection level can be considered as the "minimum level of protection". The body has only one level of protection, regardless of the number of body parts. The body protection level is determined by the highest setting of the ProtectionLevel property for all parts of the body. However, you must set the level of protection of each part of the body to the required minimum level of protection. See this article for more details.