Request Limits <requestLimits>

Overview

The <requestLimits> element specifies limits on HTTP requests that are processed by the Web server. These limits include the maximum size of a request, the maximum URL length, and the maximum length for a query string. In addition, the <requestLimits> element can contain a collection of user-defined HTTP header limits in the <headerLimits> element, which allows you to define custom settings on HTTP headers.

Note: When request filtering blocks an HTTP request because an HTTP request exceeds the request limits, IIS 7 will return an HTTP 404 error to the client and log one of the following HTTP statuses with a unique substatus that identifies the reason that the request was denied:

HTTP Substatus Description
404.13 Content Length Too Large
404.14 URL Too Long
404.15 Query String Too Long

These substatuses allow Web administrators to analyze their IIS logs and identify potential threats.

In addition, when an HTTP request exceeds the header limits that are defined in the in the <headerLimits> element, IIS 7 will return an HTTP 404 error to the client with the following substatus:

HTTP Substatus Description
404.10 Request Header Too Long

 

Compatibility

Version Notes
IIS 7.5 The <requestLimits> element was not modified in IIS 7.5.
IIS 7.0 The <requestLimits> element of the <requestFiltering> collection was introduced in IIS 7.0.
IIS 6.0 The <requestLimits> element replaces the IIS 6.0 UrlScan [RequestLimits] features.

Setup

The default installation of IIS 7 includes the Request Filtering role service. If the Request Filtering role service is uninstalled, you can reinstall it using the following steps.

Windows Server 2008 or Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
  5. On the Confirm Installation Selections page, click Install.
  6. On the Results page, click Close.

Windows Vista or Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, then World Wide Web Services, and then Security.
  4. Select Request Filtering, and then click OK.

How To

Note for IIS 7.0 users: Some of the steps in this section may require that you install the Microsoft Administration Pack for IIS 7.0, which includes a user interface for request filtering. To install the Microsoft Administration Pack for IIS 7.0, please see the following URL:

How to edit the request filtering feature settings and request limits

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.

  4. Click Edit Feature Settings... in the Actions pane.

  5. Specify your options, and then click OK.

    For example, you could make the following changes:
    • Change the maximum URL length to 2KB by specifying 2048.
    • Change the maximum query string length to 1KB by specifying 1024.
    • Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.

How to add limits for HTTP headers

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the Headers tab, and then click Add Header... in the Actions pane.
  5. In the Add Header dialog box, enter the HTTP header and the maximum size that you want for the header limit, and then click OK.

    For example, the "Content-type" header contains the MIME type for a request. Specifying a value of 100 would limit the length of the "Content-type" header to 100 bytes.

Configuration

Attributes

Attribute Description
maxAllowedContentLength Optional uint attribute.

Specifies the maximum length of content in a request, in bytes.

The default value is 30000000, which is approximately 28.6MB.
maxQueryString Optional uint attribute.

Specifies the maximum length of the query string, in bytes.

The default value is 2048.
maxUrl Optional uint attribute.

Specifies maximum length of the URL, in bytes.

The default value is 4096.

Child Elements

Element Description
headerlimits Optional element.

Specifies size limits for HTML headers.

Configuration Sample

The following example Web.config file will configure IIS to deny access for HTTP requests where the length of the "Content-type" header is greater than 100 bytes.

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <requestLimits>
               <headerLimits>
                  <add header="Content-type" sizeLimit="100" />
               </headerLimits>
            </requestLimits>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

Sample Code

The following code samples will configure IIS to deny access for HTTP requests where the length of the "Content-type" header is greater than 100 bytes.

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"requestLimits.headerLimits.[header='Content-type',sizeLimit='100']" 

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetWebConfiguration("Default Web Site");
         ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering");
         ConfigurationElement requestLimitsElement = requestFilteringSection.GetChildElement("requestLimits");
         ConfigurationElementCollection headerLimitsCollection = requestLimitsElement.GetCollection("headerLimits");

         ConfigurationElement addElement = headerLimitsCollection.CreateElement("add");
         addElement["header"] = @"Content-type";
         addElement["sizeLimit"] = 100;
         headerLimitsCollection.Add(addElement);

         serverManager.CommitChanges();
      }
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample

   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site")
      Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering")
      Dim requestLimitsElement As ConfigurationElement = requestFilteringSection.GetChildElement("requestLimits")
      Dim headerLimitsCollection As ConfigurationElementCollection = requestLimitsElement.GetCollection("headerLimits")

      Dim addElement As ConfigurationElement = headerLimitsCollection.CreateElement("add")
      addElement("header") = "Content-type"
      addElement("sizeLimit") = 100
      headerLimitsCollection.Add(addElement)

      serverManager.CommitChanges()
   End Sub

End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");

var requestLimitsElement = requestFilteringSection.ChildElements.Item("requestLimits");
var headerLimitsCollection = requestLimitsElement.ChildElements.Item("headerLimits").Collection;

var addElement = headerLimitsCollection.CreateNewElement("add");
addElement.Properties.Item("header").Value = "Content-type";
addElement.Properties.Item("sizeLimit").Value = 100;
headerLimitsCollection.AddElement(addElement);

adminManager.CommitChanges();

VBScript

Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set requestLimitsElement = requestFilteringSection.ChildElements.Item("requestLimits")
Set headerLimitsCollection = requestLimitsElement.ChildElements.Item("headerLimits").Collection

Set addElement = headerLimitsCollection.CreateNewElement("add")
addElement.Properties.Item("header").Value = "Content-type"
addElement.Properties.Item("sizeLimit").Value = 100
headerLimitsCollection.AddElement(addElement)

adminManager.CommitChanges()
Deprecated Elements