ASPNetRequestValidationMode.qhelp

<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>

	<overview>
		<p>
			The
			<code>requestValidationMode</code>
			attribute in ASP.NET is used to configure
			built-in validations to
			protect applications against code injections. Downgrading or
			disabling
			this configuration is not recommended. The default value 4.5
			is
			the only recommended value as previous versions only
			test a subset
			of
			requests.
		</p>

	</overview>
	<recommendation>

		<p>
			Always set
			<code>requestValidationMode</code>
			to 4.5. (Default value)
		</p>

	</recommendation>
	<example>

		<p>
			The following example shows the
			<code>requestValidationMode</code>
			attribute set to the value 4.0 which disables some protections and
			ignores individual
			<code>Page</code>
			directives:
			<code>
				<httpRuntime requestValidationMode="4.0" />



			</code>
		</p>

		<p>
			If the value is set to 2.0, request validation is enabled for pages
			but not for all requests:
		</p>

		<code>
			<httpRuntime requestValidationMode="2.0" />



		</code>

		<p>
			If the value is set to 0, request validation is completely disabled
			(Only recognized in ASP.NET 4.6 and later):
		</p>

		<code>
			<httpRuntime requestValidationMode="0.0" />



		</code>
	</example>
	<references>

		<li>
			Microsoft:
			<a
				href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8">requestValidationMode configuration to protect against code
				injection attacks</a>
			.
		</li>
		<li>
			OWASP:
			<a
				href="https://www.owasp.org/index.php/ASP.NET_Request_Validation">ASP.NET Request Validation on OWASP</a>
		</li>
	</references>

</qhelp>