5_2:web_config_file

KB0000420 Web.Config File

Below is a sample Web.Config file, located in the piabws folder, which sets IIS options for the PIAB web application.

Size of Files and Requests

IIS protects the server by setting limits on the size of data that can be transferred. This will vary from site to site, depending on your needs. You may need to set maxRequestLength and maxAllowedContentLength to limit/allow files of required size to be transferred.

ASP.NET Client-Side Controls and Javascript

ASP.NET performs automatic naming of client-side controls, and these need to be kept in sync with the client-side javascript. This can be done differently in different versions of ASP.NET. This version of PIAB uses ASP.NET 4, but the rendering mode used is “3.5” to maintain backwards compatibility. This is set in the pages section:

<pages 
  validateRequest="true"
  enableEventValidation="true"
  controlRenderingCompatibilityVersion="3.5"
  clientIDMode="AutoID" />

Security and Validation

In .NET 4.5 by default IIS performs validation on the form input data to prevent markup e.g. html to be posted. The is intended to prevent malicious code from being added, but sometimes it may be legitimate to post text including markup. This can be disabled for the entire site by setting validateRequest=“false”, This is not recommended, but may be necessary as an interim solution for a specific site. See below on how to disable validation for specific pages.

Removing Server Information from Headers

In this version, some information is removed form the response headers to hide information from potential hackers. This is in the httpProtocol and rewrite sections. Note that the rewrite rules require the IIS Url Rewrite module to be installed, so by default this section is commented out, as we can't rely on this being installed. To enable it:

  • Install IIS Url Rewrite module
  • Uncomment the rewrite section and save the web.config file

Example web.config File

<?xml version="1.0" encoding="utf-8"?>
<!-- 

Version 5.1.0.001

Maximum File Size Limits
Set limits to protect your server and network from attacks and uploading huge files.     
system.web/httpRuntime maxRequestLength="[number in kbytes]"
system.webServer/requestLimits maxAllowedContentLength="[number in bytes]"
     
IIS Errors
The default is "DetailedLocalOnly", but it can be set to "Detailed" to view error pages remotely, which may be
useful for reporting errors.
system.web/httpErrors errorMode="DetailedLocalOnly"/>
     
API Documentation
For security, hide the web service documentation page using system.web/protocols/remove name="Documentation" 
-->
<configuration>

  <system.web>
    <!-- 
    Note: controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" 
    these are required as MS have changed the default way that server control ID are generated.
    the default is "4.0" which will not work with PIAB.
    -->
    <pages validateRequest="true" enableEventValidation="true" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
    <httpRuntime maxRequestLength="50000" requestValidationMode="4.5" />
    <compilation defaultLanguage="vb" debug="true" targetFramework="4.5.1">
      <assemblies>
        <add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
      </assemblies>
    </compilation>
    <webServices>
      <protocols>
        <remove name="Documentation" />
      </protocols>
    </webServices>
  </system.web>
  
  <system.webServer>
    <httpErrors errorMode="DetailedLocalOnly" />
	
    <security>
      <requestFiltering allowDoubleEscaping="true">
        <requestLimits maxAllowedContentLength="50000000" />
      </requestFiltering>
    </security>

    <staticContent>
      <remove fileExtension=".piabx" />
      <remove fileExtension=".spn" />
      <mimeMap fileExtension=".piabx" mimeType="application/piabx+xml" />
      <mimeMap fileExtension=".spn" mimeType="application/spn+xml" />
    </staticContent>

    <!-- 
    For security, remove server info from response headers 
    -->
    <httpProtocol>
       <customHeaders>
         <remove name="X-Powered-By" />
         <remove name="X-AspNet-Version" />
       </customHeaders>
    </httpProtocol>

    <!-- 
    For security, remove server info from the response.
    Note that this requires the IIS Url Rewrite module installed.
    -->
    <!--
    <rewrite>
        <outboundRules rewriteBeforeCache="true">
            <rule name="Remove Server header">
                <match serverVariable="RESPONSE_Server" pattern=".+" />
                <action type="Rewrite" value="" />
            </rule>
        </outboundRules>
    </rewrite>
    -->
  </system.webServer>
</configuration>

Allow Markup in Selected Pages

To disable the validation on specific pages, and so allow markup e.g. html codes to be added, include a <location> element within the <configuration> section as follows. The 'path' parameter contains the name of the page.

<configuration>
  ...
  <location path="PortfolioSummary.aspx">
    <system.web>
      <pages validateRequest="false" />
    </system.web>
  </location>
  ...
</configuration>
5_2/web_config_file.txt · Last modified: 2019/03/02 17:14 (external edit)