Information
The maxURL attribute of the <requestLimits> property is the maximum length (in Bytes) in which a requested URL can be (excluding query string) in order for IIS to accept. Configuring this Request Filter enables administrators to restrict the length of the requests that the server will accept.
It is recommended that a limit be put on the length of URL.
Rationale:
With a properly configured Request Filter limiting the amount of data accepted in the URL, chances of undesired application behaviors affecting the availability of content and services are reduced.
Impact:
Length of the URL will be restricted to the maximum value set.
Solution
The MaxURL Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:
Open Internet Information Services (IIS) Manager
In the Connections pane, click on the connection, site, application, or directory to be configured
In the Home pane, double-click Request Filtering
Click Edit Feature Settings... in the Actions pane
Under the Request Limits section, key the maximum URL length in bytes that has been tested with web applications
Enter the following command in AppCmd.exe to configure:
%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /requestLimits.maxURL:4096
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering/requestLimits' -name 'maxUrl' -value 4096
Default Value:
When Request Filtering is installed on a system, the default value for maxURL='4096'.