If you are creating a publically available webservice, make sure it is available over HTTPS and encourage people to use the HTTPS version.

There are way too many badly behaved firewalls and proxies (from companies that should know better) that munge things in ways that are very hard to debug.

For instance (just as a totally random example that I swear has caused me no pain what-so-ever over the last few weeks…), Checkpoint's NG55 firewall has built in “Cross Site Scripting Protection”. Unfortunately, it failes to check MIME types, SOAP actions or ever the user agent header – it just blindly drops any content that contains various defined keyword. It's a stupid, stupid idea (especially since it doesn't seem to check unicode versions on the same strings) that is best protected against by running over HTTPS.

If you don't do that then when a client ever rings up and tells you that your software has broken and they are sure they didn't change anything now you have yet another thing to check for.

Damn it! This XML over HTTP thing was supposed to be easy.