Is it possible to add some kind of restriction to the web.config to limit URL parameter length? I want to prevent people at the earliest possible point from submitting too large URL parameters so the server doesn't get taxed more than necessary in the event that somebody tries to "attack" it with large invalid URL parameters.
+2
A:
See the following link:
http://learn.iis.net/page.aspx/143/use-request-filtering/
Here is an example of the IIS 7 config:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits
maxAllowedContentLength="30000000"
maxUrl="260"
maxQueryString="25"/>
</requestFiltering>
</security>
</system.webServer>
Kelsey
2010-06-04 21:07:45
Is this also enforced through the ASP.NET Cassini (Debug) Server? I tried this and I seem to be able to still submit larger Urls and Querystrings.
Alex
2010-06-04 21:20:22
@Alex no this is an IIS setting unless you can figure out how to configure it in Cassini. You probably wouldn't need it in Dev anyways so I am not sure it is configurable.
Kelsey
2010-06-04 21:24:08
@Kelsey: Got it. Thank you.
Alex
2010-06-04 21:31:14
A:
http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
just set maxQueryString.
ryancammer
2010-06-04 21:10:17
Is this also enforced through the ASP.NET Cassini (Debug) Server? I tried this and I seem to be able to still submit larger Urls and Querystrings.
Alex
2010-06-04 21:22:55
as an aside, are you running vista or win7? if so, can you run your project through IIS 7, as opposed to cassini?
ryancammer
2010-06-04 22:12:48