The security information for a SOAP message is contained in an optional header component that follows the SOAP envelope. Its XML semantics and syntax are based on WS-Security design standards and recommendations for authentication components such as signing, encryption, use of authentication tokens, and security timestamps.

The security options of an outbound/inbound message pair often share a dependency. For example, if an outbound message is signed by a web service, the web service receiving the signed message must define the security parameters of an inbound message so that it can address (for example, verify) signed messages.