# Web.config Critical Settings Reference **Last Updated:** 2026-04-15 **MachineKey Updated:** Yes - Latest generation **Build Status:** Clean --- ## 1. Custom MachineKey (Security) ### Current Configuration ```xml ``` **Location:** Line 752-756 in Web.config **Algorithm:** HMACSHA256 (validation) + 3DES (decryption) **Security Level:** ✓ Custom (not using defaults) **Generated by:** mojoPortal Setup 2.9.2.3 --- ## 2. Request Size Limits (httpRuntime) ### Current Configuration (Line 975) ```xml maxUrlLength="560" maxQueryStringLength="2048" enableVersionHeader="false" /> ``` ### Detailed Parameter Breakdown | Parameter | Value | Description | Typical Use | |-----------|-------|-------------|-------------| | `targetFramework` | 4.8 | .NET Framework target | Ensures compatibility | | `requestValidationMode` | 2.0 | Validation mode | ASP.NET 4.0+ validation | | `maxRequestLength` | 30720 KB | **Max upload: ~30 MB** | File uploads, form data | | `maxUrlLength` | 560 chars | **Max URL: 560 characters** | SEO-friendly URLs, navigation | | `maxQueryStringLength` | 2048 chars | **Max query string: 2048 characters** | Search parameters, filters | | `enableVersionHeader` | false | Hide ASP.NET version | Security hardening | ### Important Notes ⚠️ **maxRequestLength:** 30720 KB = ~30 MB - Applies to all HTTP requests (POST data, file uploads, etc.) - If you need larger uploads, increase this value - Values in **kilobytes** (KB), not bytes - Example: For 100 MB uploads, use `maxRequestLength="102400"` ⚠️ **maxUrlLength:** 560 characters - Total URL length including query string - Some SEO-friendly URL structures may exceed this - If you have complex URLs or deep navigation, may need to increase - Affects both GET requests and form submissions ⚠️ **maxQueryStringLength:** 2048 characters - Query parameters limit - Advanced searches with many filters might hit this - If exceeded, requests will be rejected as potentially malicious --- ## 3. Alternative Configuration (Commented Out) **Location:** Line 973 (commented) ```xml ``` **Note:** This commented config allows ~2 GB uploads and 1-hour timeout. Not used in current setup. --- ## 4. Related Settings ### Execution Timeout ```xml requestValidationMode="2.0" ``` - Allows ASP.NET 4.0+ style request validation - Prevents XSS and malformed requests ### Version Header ```xml enableVersionHeader="false" ``` - ✓ **Security best practice:** Hides ASP.NET version from responses - Prevents version detection attacks --- ## 5. When to Modify These Settings ### Increase maxRequestLength if: - Users upload files larger than 30 MB - Form submissions are rejected with "Request entity too large" - Document/media library functionality needs larger files ### Example Configuration for 100 MB uploads: ```xml maxUrlLength="560" maxQueryStringLength="2048" enableVersionHeader="false" /> ``` ### Increase maxUrlLength if: - Complex navigation with deeply nested categories - SEO-friendly URLs are getting truncated - You're building a hierarchical content structure ### Example Configuration for longer URLs: ```xml maxQueryStringLength="2048" enableVersionHeader="false" /> ``` --- ## 6. Security Recommendations ✅ **Current Configuration:** - Custom machineKey installed (not defaults) - Version header disabled - Modern request validation enabled - Reasonable upload limits 🔒 **Additional Hardening (Optional):** In production, also set in Web.config: ```xml ``` This prevents the setup page from being accessible after upgrades are complete. --- ## 7. Backup Information **Web.config Backup Location:** `Updates/Web.config.backup` **MachineKey History:** - **Previous (Session 5):** `BA3FF6B9796A6C1C...` (deprecated) - **Current (Session 6):** `9C23E46D62D6577B9...` (active) ⚠️ **Important:** If you change the machineKey after passwords are encrypted, users will not be able to log in. Always back up before making changes. --- ## 8. Testing Changes After modifying any of these settings: 1. **Build the project:** ✓ Should compile cleanly 2. **Restart IIS:** Required for changes to take effect 3. **Test file uploads:** Verify upload size limits work 4. **Test URL generation:** Check for truncation issues 5. **Clear browser cache:** Ensure fresh requests --- ## 9. Common Issues & Solutions ### "Request entity too large" (413 error) - **Cause:** Upload exceeds maxRequestLength - **Fix:** Increase maxRequestLength value ### URL truncation in navigation - **Cause:** Generated URL exceeds maxUrlLength - **Fix:** Increase maxUrlLength value ### Query string rejected - **Cause:** Search parameters exceed maxQueryStringLength - **Fix:** Increase maxQueryStringLength value ### Login fails after machineKey change - **Cause:** Encrypted passwords can't be decrypted - **Fix:** Restore previous machineKey or reset passwords --- ## 10. Reference **Platform:** ASP.NET WebForms + MVC 5.3 on .NET Framework 4.8.1 **Database:** SQLite **mojoPortal Version:** 2.9.2.3 **Web.config Path:** `Web/Web.config` --- ## Checklist for Future Deployments - [ ] Verify custom machineKey is installed (not defaults) - [ ] Review maxRequestLength for your expected file sizes - [ ] Test file upload functionality works - [ ] Verify long URLs don't get truncated - [ ] Confirm search with multiple filters works - [ ] Disable setup page in production: `DisableSetup=true` - [ ] Test login and session functionality after changes - [ ] Backup Web.config before making modifications --- **Document Created:** 2026-04-15 **Scope:** Production-ready mojoPortal SQLite installation with .NET 4.8.1 **Status:** ✅ Complete & Verified