The requestValidationMode attribute in ASP.NET is used to configure built in validation to protect applications against code injections. Downgrading or disabling this configuration is not recommended. The default value of 4.5 is the only recommended value as previous versions only test a subset of requests.

Always set requestValidationMode to 4.5, or leave it at its default value.

The following example shows the requestValidationMode attribute set to the value 4.0 which disables some protections and ignores individual Page directives:

Setting the value to 4.5 enables request validation for all requests:

Microsoft: HttpRuntimeSection.RequestValidationMode Property .

OWASP: ASP.NET Request Validation.