The requestValidationMode attribute in ASP.NET is used to configure built-in validations to protect applications against code injections. Downgrading or disabling this configuration is not recommended. The default value 4.5 is the only recommended value as previous versions only test a subset of requests.

Always set requestValidationMode to 4.5. (Default value)

The following example shows the requestValidationMode attribute set to the value 4.0 which disables some protections and ignores individual Page directives:

If the value is set to 2.0, request validation is enabled for pages but not for all requests:

If the value is set to 0, request validation is completely disabled (Only recognized in ASP.NET 4.6 and later):

Microsoft: requestValidationMode configuration to protect against code injection attacks .

OWASP: ASP.NET Request Validation on OWASP