Tweaking a few URL validation settings on ASP.NET v4.0

ASP.NET has a few default settings for URLs out of the box. These can be configured quite easily in the web.config file within the  <system.web>/<httpRuntime> configuration section. Some of these are:

<httpRuntime maxUrlLength=”<number here>

This number should be an integer value (defaults to 260 characters). The value must be greater than or equal to zero, though obviously small values will lead to an un-useable website. This attribute gates the length of the Url without query string.

<httpRuntime maxQueryStringLength=”<number here>”. 

This number should be an integer value (defaults to 2048 characters). The value must be greater than or equal to zero, though obviously small values will lead to an un-useable website.

<httpRuntime requestPathInvalidCharacters=”List of characters you need included in ASP.NETs validation checks/>

By default the characters are “<,>,*,%,&,:,\,?”. However once can easily change this by setting by modifying web.config. Remember, these characters can be specified in a variety of formats. For example, I want the character ‘!’ to be included in ASP.NETs URL validation logic. So I set the following: <httpRuntime requestPathInvalidCharacters=”<,>,*,%,&,:,\,?,!”. A character could also be specified in its xml encoded form. ‘&lt;;’ would mean the ‘<’ sign). I could specify the ‘!’ in its xml encoded unicode format such as requestPathInvalidCharacters=”<,>,*,%,&,:,\,?,$#x0021;” or I could specify it in its unicode encoded form or in the “<,>,*,%,&,:,\,?,%u0021” format.

The following settings can be applied at Root Web.Config level, App Web.config level, Folder level or within a location tag:

<location path="some path here">    
<httpRuntime maxUrlLength="" maxQueryStringLength="" requestPathInvalidChars="" />

If any of the above settings fail request validation, an Http 400 “Bad Request” HttpException is thrown. These can be easily handled on the Application_Error handler on Global.asax.


Also, a new attribute in <httpRuntime /> called “relaxedUrlToFileSystemMapping” has been added with a default of false.

<httpRuntimerelaxedUrlToFileSystemMapping="true|false" /> 

When the relaxedUrlToFileSystemMapping attribute is set to false inbound Urls still need to be valid NTFS file paths. For example Urls (sans query string) need to be less than 260 characters; no path segment within a Url can use old-style DOS device names (LPT1, COM1, etc…); Urls must be valid Windows file paths.

A url like “” should work with this attribute set to true (of course a few characters will need to be unblocked by removing them from requestPathInvalidCharacters="" above).

Managed configuration for non-NTFS-compliant Urls is determined from the first valid configuration path found when walking up the path segments of the Url. For example, if the request Url is "/foo/bar/baz/<blah>data</blah>", and there is a web.config in the "/foo/bar" directory, then the managed configuration for the request comes from merging the configuration hierarchy to include the web.config from "/foo/bar".

The value of the public property HttpRequest.PhysicalPath is set to [physical file path of the application root] + "REQUEST_URL_IS_NOT_A_VALID_FILESYSTEM_PATH". For example, given a request Url like "/foo/bar/baz/<blah>data</blah>", where the application root is "/foo/bar" and the physical file path for that root is "c:\inetpub\wwwroot\foo\bar", then PhysicalPath would be "c:\inetpub\wwwroot\foo\bar\ REQUEST_URL_IS_NOT_A_VALID_FILESYSTEM_PATH".


  • will this also allow the url rewriter to handle urls that end in a "." ? I'm having a problem with this right now.

  • I am working on a Reverse Proxy project implemented as a HTTP handler in .NET framework 4.0 and run on IIS 7.0.
    One of the HTTP GET request send from browser has a URL Path longer than 320 characters (only the URL path after the domain, not count the query string.) . The IIS 7 return 400 Bad Request and never dispatch the request to the Http Handler.
    The problem is reguarding to the URL path length. If I shorten the request URL path to less than 260 characters, it will work as expected.
    I had added the following element:

    under the element in the web.config file.

    But it only extend the valid URL path length from 260 to about 282 characters. The request URL path longer than 282 character will fail in the same way ( return 400 Bad Request)

    Below is the configuration settings for http handler in the web.config file under

    Any suggestion reguarding how to make the IIS 7 to accept the Http request with longer URL path?

  • oh fa troppo caldo!

Comments have been disabled for this content.