Limiting the Size of a Request
To limit the size of a request for all requests through a particular ISAPI extension DLL
Override CIsapiExtension::HttpExtensionProc in your ISAPI extension DLL and compare your maximum request size with the value returned by EXTENSION_CONTROL_BLOCK::cbTotalBytes. Reject any requests that exceed the maximum size.
To limit the size of a request for a particular request handler
For more information on the differences between these two methods, see Initializing Request Handlers.
To delay form processing for a particular request handler based on the size of the request
Override CRequestHandlerT::MaxFormSize and return the maximum number of bytes in the body of a request that should be parsed. If a request exceeds this size, default form processing is not carried out (that is, the files and form variables collections of the request object, m_HttpRequest, will not be populated). Note that taking this action does not cause the request to be rejected; it simply delays or prevents expensive processing on large requests.
To reject a request because it is too large
Return HTTP_REQUEST_ENTITY_TOO_LONG to use the default response or build your own response and return an appropriate status code.
The information in this topic applies to limiting the number of bytes in the body of the request. IIS limits the number of bytes in the header of a request automatically.