IIS: Changing maxQueryString and maxUrl

Query String Length:

By default Microsoft IIS accepts a maximum query sting length of 2048 characters. If there is a query string received by the IIS with more than 2048 characters, it will throw a 404.15 – Query String too long error. I wrote about this error in another article Solution for query string too long.

URL Length:

Just like the query string each browser has a limit for the length of url they support. For example Internet explorer accepts a maximum url length of 2083. If the url length exceeds the limit, you will get a 404.14 – URL too long error.

Increasing or Decreasing Query String and URL Length Limit:

There  are several way to avoid the URL and Query String too long error. But scenarios may arise, that you may need to generate a query string longer than 2048 characters. Or for security reasons you may need to reduce the query string length accepted by your website, lesser than the default length of 2048.

One among the way is to increase or decrease the maxQueryString and the maxUrl value for the website. This can be done by adding requestlimits to the web.config file of the website.

In the web.config file of your website, under the system.webServer, security section, add the requestFiltering section. Under requestFiltering section, add requestLimits tag with your desired maxQueryString value and maxUrl value. Now your website will accept maximum query strings length you desire. In the below example, I’ve specified the maxQueryString value as “3000”. Even if you set a big value for maximum query string, there is a limit for each browser which is handling the url and the query string.

The best practice is to limit the maxQueryString size as much as possible, to avoid any injunction attack. You can give a value of 2500 or 3500 or any other value based on your requirement. But keep in mind that allowing long query string and url is a security risk, more over, it’s a bad design. So if you want, you can even reduce the maxQueryString and maxUrl value to 100 or lesser. When you reduce the maximum url and query string length, make sure, your website generates url and query string shorter than the limits you are setting.

Web.Config with customized maxQueryString and maxUrl limits:

<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxQueryString="3000" maxUrl="1000" />
</requestFiltering>
</security>
</system.webServer>
</configuration>

Changing-maxquerystring-and-maxurl-01


5 thoughts on “IIS: Changing maxQueryString and maxUrl”

  1. It’s also possible to change these values using the GUI. In IIS, having selected your website, double click “Request Filtering”, then select the “URL” tab and click “Edit Feature Settings”. At least this works in Windows Server 2016.

    I needed to increase this value in order to generate mailto links that include a lot of addresses in the bcc field.

    Reply
  2. This fixed my problem. Some JavaScript was making HTTP requests with URLs longer than 2048 bytes and was getting HTTP 404 errors even though the URLs were correct. A Web.config change fixed the problem.
    Thanks!

    Reply
  3. I may be wrong, in fact, it would be great if i was.. but I don’t think this applies to IIS6 as is tagged here.. system.webserver was introduced as part of IIS 7 integrated pipeline (?) and hence is not available in iis 6 or in IIS 7 app pools running in classic mode.. Which would be relavent for the two or three of us left in the world who are still supporting IIS6 production environments..

    Reply

Leave your thoughts...

This site uses Akismet to reduce spam. Learn how your comment data is processed.