5 min read · Aug 23, 2023
--
This is a quick introduction to the web.config file. I will also cover the top 3 things you can set up in this file.
What is the purpose of a web.config file?
The web.config is a file that is read by Internet Information Services (IIS) and the ASP.NET Core Module to configure various settings and behaviors of an application hosted with IIS.
Why web.config?
Most of the configuration settings you can customise in the web.config file can also be configured in the appsettings.json files, so why would you want to use this file instead? There are many benefits to using the web.config file to configure settings for your application.
- The web.config file is written in XML, which makes it readable and easy to understand.
- The application logic is separated from the configuration logic.
- You can create a set of hierarchal configurations for different parts of your application. By placing a web.config file in different sub-directories, you can have specialized sets of rules for different sections of your application.
- You need to have the web.config file in your application hosted on IIS anyway, so why not use that file for configuration settings?
Do I need a web.config file in my project?
The
web.config
file must be present in the deployment at all times, correctly named, and able to configure the site for normal start up.
This is because sensitive files exist on the app’s physical path and if the web.config file is missing or named incorrectly, IIS may serve these files to the client. If the web.config file is present, IIS will not serve these sensitive files if they are requested.
NB: You must never remove the web.config file from a production deployment.
1. Configure file upload size
You can adjust the maximum file upload size for your ASP .Net project in the web.config file. By default, the maximum upload size is 30mb (or 31 457 280 bytes) for each upload.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<!-- This will handle requests up to 50MB -->
<requestLimits maxAllowedContentLength="52428800" />
</requestFiltering>
</security>
</system.webServer>
</configuration>
Setting the maxAllowedContentLength
to 52428800 Bytes will increase the maximum allowed file upload size from 30MB to 50MB.
Additionaly, we set the the maximum allowed size of any request body in bytes with MaxRequestBodySize
in the IISServerOptions class inside the Program.cs file to allow the increased file upload size.
services.Configure<IISServerOptions>(options =>
{
//maximum allowed files of 50mb in bytes
options.MaxRequestBodySize = 50 * 1024 * 1024;
});
Finally, go into your server using the IIS Manager GUI and see that the Maximum allowed content length
value in the request filtering settings for the domain is set from 36700160 bytes to 52428800 bytes.
The default ASP.NET Core application template doesn’t create the web.config file and it is only automatically created when you publish the application. However, you can add it manually to the root of the application.
2. Configure redirect settings
You can configure HTTP modules and handlers in the web.config file. Modules and handlers can be used to intercept and process incoming requests to your application so you can use it for tasks such as URL rewriting, authentication, or custom request processing.
The example below shows how you can rewrite the URL of an incoming request to redirect HTTP (non-secure) traffic to HTTPS (secure).
<rule name="RedirectToHTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="Permanent" />
</rule>
- The
rule
tag defines a rule named “RedirectToHTTPS” to redirect traffic to HTTPS. <match url="(.*)" />
defines a URL pattern to be matched.input=”{HTTPS}”
this line checks the value of the{HTTPS}
server variable. Thepattern
checks if the value input received is “on” or “off” for the pattern defined in theinput
.<action type=”Redirect” url=”https://{SERVER_NAME}/{R:1}" redirectType=”Permanent” />
defines what should happen if the server variable is found to be HTTP. The action here is a redirect to the HTTPS version of the same URL.
Having access to redirect traffic is very important because as you can see in the example above, you can ensure that the client visits your site using a secure connection and that any sensitive information is transmitted securely. There are so many more behaviours you can customise from the web.config file.
3. Custom error pages
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="apperror.cshtml">
<error statusCode="404" redirect="404.cshtml" />
<error statusCode="500" redirect="500.cshtml" />
</customErrors>
</system.web>
</configuration>
The defaultRedirect
attribute specifies the default page the user will be redirected to in the instance of an unhandled error. For any unhandled exceptions, the user will be redirected to the “apperror.cshtml” page.
You can then specify pages for the instances when you want to take users to specific pages when an error occurs using the <error>
tag and the redirect
attribute.
- An error with a
statusCode
of 404 (Not Found) will redirect the user to the “404.cshtml” page. - An error with a
statusCode
of 500 (Internal Server Error) error will redirect the user to the “500.cshtml” page.
You can customise even more settings from this file, including:
- Database connection strings
- Security settings
- Caching settings
What are some disadvantages of using this file?
The web.config file is pushed along with the rest of your code to the repository so you should never store sensitive information in your code.
You don’t want to include API Keys and connection strings especially in the production environment. Although it is possible to configure these values directly in the web.config file you will not want to store any secret values in this file. Here are some techniques you can use to define sensitive values in an external file and calling them into the configuration files that will be pushed to your repository.
Conclusion
The web.config file provides us with a powerful set of configuration possibilities that can set up centrally and flexibly. We are able to control various aspects of the behaviour of our application, but we also have to be careful not to leave sensitive information in this file as it can be accessed from your application’s repository.
Thank you for taking the time to read this article and I hope it helped you!