When at design-time, WCF must publish MEX or WSDL to allow clients auto-configure their proxies; but when design-time is over and the service and clients are going to run in production, is it still required that a service publish its metadata?
OK, I found what I was looking for.
According to "WCF Security Guidelines" provided by Microsoft , under "Proxy Considerations" it is stated:
Proxy Considerations
Publish your WCF service metadata only when required.
If you need to publish your WCF service metadata, publish it over the HTTPS protocol.
If you need to publish your WCF service metadata, publish it using a secure binding.
If you turn off mutual authentication, be aware of service spoofing.