One of the ways an attacker can get into your site is by attempting to cause a "buffer overflow" or by creating a denial of service by sending large amounts of data to your server. This can also be a problem if you have an <asp:FileUpload>
control on one of your pages because the attacker could upload large files one after another until the disk space is filled, possibly causing your server to error out.
One way to help protect yourself from these types of attacks is to set a maxRequestLength
. The maxRequestLength
is a filter, rejecting user requests that are larger than the threshold set. For instance, the default setting in your Machine.config
file is set to 4096 KB or 4 MB. Ninety-nine percent of all your pages will be well below that, probably more likely in the 512 KB or less range.
To protect yourself, add an <httpRuntime>
directive in the <system.web>
section of the Web.config
, and set the maxRequestLength
to a reasonable value.
<system.web> ...