I have a WCF web service that is using WSHttpBinding. The security is TransportWithMessageCredential. I have a client connecting to me that is sending a Soap message with the To element in the header unsigned. My service doesn't like this and is throwing System.ServiceModel.Security.MessageSecurityException with the message "The message received over Transport security has unsigned 'To' header". I haven't been able to find the signing of the element specified specifically in the WS-Security spec but I have seen it recommended to prevent redirect attacks.
So does anyone know if there is anyway for me to configure my web service not to check for the To element to be signed? Also the other side of the issue but I cannot change how this client is connecting to me.