Below is a sample Web.Config file, located in the piabws folder, which sets IIS options for the PIAB web application.
IIS protects the server by setting limits on the size of data that can be transferred. This will vary from site to site, depending on your needs. You may need to set maxRequestLength and maxAllowedContentLength to limit/allow files of required size to be transferred.
<pages validateRequest="true" enableEventValidation="true" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
In .NET 4.5 by default IIS performs validation on the form input data to prevent markup e.g. html to be posted. The is intended to prevent malicious code from being added, but sometimes it may be legitimate to post text including markup. This can be disabled for the entire site by setting validateRequest=“false”, This is not recommended, but may be necessary as an interim solution for a specific site. See below on how to disable validation for specific pages.
In this version, some information is removed form the response headers to hide information from potential hackers. This is in the httpProtocol and rewrite sections. Note that the rewrite rules require the IIS Url Rewrite module to be installed, so by default this section is commented out, as we can't rely on this being installed. To enable it:
<?xml version="1.0" encoding="utf-8"?> <!-- Version 5.1.0.001 Maximum File Size Limits Set limits to protect your server and network from attacks and uploading huge files. system.web/httpRuntime maxRequestLength="[number in kbytes]" system.webServer/requestLimits maxAllowedContentLength="[number in bytes]" IIS Errors The default is "DetailedLocalOnly", but it can be set to "Detailed" to view error pages remotely, which may be useful for reporting errors. system.web/httpErrors errorMode="DetailedLocalOnly"/> API Documentation For security, hide the web service documentation page using system.web/protocols/remove name="Documentation" --> <configuration> <system.web> <!-- Note: controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" these are required as MS have changed the default way that server control ID are generated. the default is "4.0" which will not work with PIAB. --> <pages validateRequest="true" enableEventValidation="true" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" /> <httpRuntime maxRequestLength="50000" requestValidationMode="4.5" /> <compilation defaultLanguage="vb" debug="true" targetFramework="4.5.1"> <assemblies> <add assembly="System.Windows.Forms, Version=220.127.116.11, Culture=neutral, PublicKeyToken=B77A5C561934E089" /> </assemblies> </compilation> <webServices> <protocols> <remove name="Documentation" /> </protocols> </webServices> </system.web> <system.webServer> <httpErrors errorMode="DetailedLocalOnly" /> <security> <requestFiltering allowDoubleEscaping="true"> <requestLimits maxAllowedContentLength="50000000" /> </requestFiltering> </security> <staticContent> <remove fileExtension=".piabx" /> <remove fileExtension=".spn" /> <mimeMap fileExtension=".piabx" mimeType="application/piabx+xml" /> <mimeMap fileExtension=".spn" mimeType="application/spn+xml" /> </staticContent> <!-- For security, remove server info from response headers --> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <remove name="X-AspNet-Version" /> </customHeaders> </httpProtocol> <!-- For security, remove server info from the response. Note that this requires the IIS Url Rewrite module installed. --> <!-- <rewrite> <outboundRules rewriteBeforeCache="true"> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <action type="Rewrite" value="" /> </rule> </outboundRules> </rewrite> --> </system.webServer> </configuration>
To disable the validation on specific pages, and so allow markup e.g. html codes to be added, include a <location> element within the <configuration> section as follows. The 'path' parameter contains the name of the page.
<configuration> ... <location path="PortfolioSummary.aspx"> <system.web> <pages validateRequest="false" /> </system.web> </location> ... </configuration>