Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

ASP.NET appSettings Element

The <appSettings> element in the configuration contains settings to customize a web application. You can add, remove and clear an application setting as a key/value pair within the <appSettings> element.

<appSettings
   <[add|clear|remove] key="configuration key value" value="value" />
</appSettings>
aspnet:AllowAnonymousImpersonation

Specifies what type of impersonation token is used when the incoming request is unauthenticated.

Type:

Boolean

Default value:

false

Remarks:

This appSettings key relates specifically to SharePoint. When an application is executing potentially untrusted code within its AppDomain, attention must be paid to the identity the untrusted code is running under. If this key value is false [default], certain pipeline events will use the process identity’s impersonation token if the incoming request is unauthenticated. If this key value is true, those pipeline events will use an anonymous impersonation token if the incoming request is unauthenticated.

Example:

    <appSettings>
      <add key="aspnet:AllowAnonymousImpersonation" value="false" />
    </appSettings>
Important note Important

This setting should only be modified by advanced developers.

aspnet:AllowAsyncDuringSyncStages

Specifies whether ASP.NET will perform extra checks during runtime to catch common mistakes that developers make while performing asynchronous coding.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default] and the UseTaskFriendlySynchronizationContext key value is true, ASP.NET will perform extra checks during runtime. These checks catch common mistakes that are made in asynchronous coding. Otherwise, no such checks are performed. The checks detect mistakes such as trying to start an asynchronous operation during execution of a synchronous page or causing an IHttpModule or IHttpAsyncHandler to complete when there are still outstanding asynchronous operations. Such mistakes could lead to deadlocks or could hamper performance of an ASP.NET application.

Example:

    <appSettings>
      <add key="aspnet:AllowAsyncDuringSyncStages" value="false" />
    </appSettings>
aspnet:AllowRelaxedHttpUserName

Specifies how ASP.NET synchronizes the client’s username between the managed (ASP.NET) and native (IIS) layers of the web server.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], ASP.NET checks the client’s username before it performs this synchronization step. If this key value is true, ASP.NET performs no check.

Example:

    <appSettings>
      <add key="aspnet:AllowRelaxedHttpUserName" value="false" />
    </appSettings>
Caution note Caution

Setting this attribute to true can pose a security risk.

aspnet:AllowRelaxedRelativeUrl

Specifies how ASP.NET login pages will redirect to a return URL whose destination is outside the hosted application.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], ASP.NET login pages will not redirect to a return URL whose destination is outside the hosted application. If this key value is true, ASP.NET login pages will perform no such check on the return URL and will redirect to it regardless.

Example:

    <appSettings>
      <add key="aspnet:AllowRelaxedRelativeUrl" value="false" />
    </appSettings>
Caution note Caution

Setting this attribute to true can pose a security risk.

aspnet:AllowRelaxedUnicodeDecoding

Specifies whether ASP.NET will perform additional Unicode validation on incoming client-supplied data.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], ASP.NET will perform additional Unicode validation on incoming client-supplied data. If this key value is true, ASP.NET will not perform extra validation.

Example:

    <appSettings>
      <add key="aspnet:AllowRelaxedUnicodeDecoding" value="false" />
    </appSettings>
aspnet:AllowUtf7RequestContentEncoding

Specifies whether clients can specific an encoding for the Content-Encoding header.

Type:

Boolean

Default value:

false

Remarks:

By default, ASP.NET allows clients to specify the text encoding of incoming payload data. Clients can send this information via the Content-Encoding header, and ASP.NET reflects this information via the ContentEncoding property. If key value is false [default], clients cannot use the Content-Encoding header to request that ASP.NET treat the incoming payload as UTF-7. If key value is true, clients can specify any encoding (including UTF-7) for the Content-Encoding header, and ASP.NET will try to interpret the incoming payload using that encoding. For more information about UTF-7, see the UTF7Encoding class.

Example:

    <appSettings>
      <add key="aspnet:AllowUtf7RequestContentEncoding" value="false" />
    </appSettings>
aspnet:DoNotDisposeSpecialHttpApplicationInstances

Specifies whether ASP.NET disposes of "special" instances of all registered IHttpModule types that are used to perform application instantiation.

Type:

Boolean

Default value:

false

Remarks:

When an ASP.NET application is first starting, "special" instances of all registered IHttpModule types are created. These special instances are used to perform application instantiation. These special instances are not actually used for servicing requests. If key value is false [default], these special instances are disposed (IHttpModule implements IDisposable) when the application shuts down. If this key value is true, these special instances are not disposed.

Example:

    <appSettings>
      <add key="aspnet:DoNotDisposeSpecialHttpApplicationInstances" value="false" />
    </appSettings>
aspnet:FormsAuthReturnUrlVar

Specifies the return URL to use after Forms authentication has been completed.

Type:

String

Default value:

[empty string]

Remarks:

This appSettings key relates specifically to SharePoint. When this key value is set, the value will be used as the return URL after the client of the web application has completed authentication (logged via ASP.NET membership). If this value is left empty, after completing authentication the client will be redirected based on the ReturnUrl query string parameter used when authenticating.

Example:

    <appSettings>
      <add key="aspnet:FormsAuthReturnUrlVar" value="" />
    </appSettings>
aspnet:JavaScriptDoNotEncodeAmpersand

Specifies whether the default built-in JavaScript string encoding routines will encode the ampersand ('&') character.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], the default built-in JavaScript string encoding routines will encode the ampersand ('&') character as "\u0026", which is the JavaScript-escaped form of that character. If key value is true, the default built-in JavaScript string encoding routines will not encode the ampersand character.

Example:

    <appSettings>
      <add key="aspnet:JavaScriptDoNotEncodeAmpersand" value="false" />
    </appSettings>
Caution note Caution

Setting this attribute to true can pose a security risk.

aspnet:MaxConcurrentCompilations

Controls parallel compilation of non-dependencies in web directories.

Type:

Int32

Default value:

1

Remarks:

If this key value is "0", all server cores will be used for concurrent compilations. If the key value is "1" [default], concurrent compilations will be disabled. If the key value is "2" or more, concurrent core compilation will be explicitly set to this value and will act as the max value.

Users with available cores (not shared hosting) can use this setting to improve startup times. If possible, set this application setting to the number of cores on the server. This setting is specifically intended for 4.0 applications that want to get the benefit of current compilations, however as 4.0 applications they are unable to set the 4.5 specific attribute on the compilation element. Also, this application setting allows applications to specifically opt out when deployed to hosts running 4.5.

Example:

    <appSettings>
      <add key="aspnet:MaxConcurrentCompilations" value="1" />
    </appSettings>
aspnet:MaxHttpCollectionKeys

Limits the maximum number of items that can be present in any of the client-provided dictionaries of the HttpRequest object.

Type:

Int32

Default value:

1000

Remarks:

The client-provided dictionaries include HttpRequest.Files, HttpRequest.Form, HttpRequest.Cookies, HttpRequest.QueryString, HttpRequest.Headers, HttpRequest.ServerVariables.

Example:

    <appSettings>
      <add key="aspnet:MaxHttpCollectionKeys" value="1000" />
    </appSettings>
Caution note Caution

Setting this attribute to too large a number can pose a security risk.

aspnet:MaxJsonDeserializerMembers

Specifies the limit of the maximum number of items that can be present in any dictionary deserialized by the JavaScriptSerializer type.

Type:

Int32

Default value:

1000

Remarks:

Example:

    <appSettings>
      <add key="aspnet:MaxJsonDeserializerMembers" value="1000" />
    </appSettings>
Caution note Caution

Setting this attribute to too large a number can pose a security risk.

aspnet:RestrictXmlControls

Specifies how ASP.NET will load XSLTs.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], ASP.NET’s XML controls use XslTransform for XSLT operations. If this key value is true, ASP.NET’s XML controls use XslCompiledTransform for XSLT operations.

Example:

    <appSettings>
      <add key="aspnet:RestrictXmlControls" value="false" />
    </appSettings>
aspnet:ScriptResourceAllowNonJsFiles

Specifies whether the ScriptResource.axd handler can serve static files from the hard drive if a Web Forms page contains the markup <asp:ScriptReference Path="~/the-file.ext" />.

Type:

Boolean

Default value:

false

Remarks:

The ScriptResource.axd handler can serve arbitrary static files from the hard drive. If this value attribute is false [default], ScriptResource.axd will not serve requests for files unless the file has a .js extension. If this value attribute is true, ScriptResource.axd will serve requests for any file.

Example:

    <appSettings>
      <add key="aspnet:ScriptResourceAllowNonJsFiles" value="false" />
    </appSettings>
Caution note Caution

Setting this attribute to true can pose a security risk. Malicious clients may be able to read sensitive files from your web site.

aspnet:UpdatePanelMaxScriptLength

Specifies a JSON payload size limit value that the ScriptManager will use to temporarily override the limit that the JavaScriptSerializer will allow when sending large JSON payloads to the client.

Type:

Int32

Default value:

0

Remarks:

The JavaScriptSerializer type has a limit on the maximum JSON payload size it can produce or consume. This limit defaults to 2MB and is configurable via the MaxJsonLength property. The ScriptManager type uses JavaScriptSerializer internally. If this key value is set to a value greater than 0, ScriptManager will temporarily override the limit that the JavaScriptSerializer will allow when sending large JSON payloads to the client, using the provided key value as the JSON payload size limit. If this switch is set to 0, ScriptManager will not override the JavaScriptSerializer default limits.

Example:

    <appSettings>
      <add key="aspnet:UpdatePanelMaxScriptLength" value="0" />
    </appSettings>
aspnet:UseHostHeaderForRequestUrl

Specifies how the Url property is dynamically built. By default, the Url property is dynamically built from the host, port, and path provided by the web server.

Type:

Boolean

Default value:

false

Remarks:

If this value attribute is false [default], the Url property is dynamically built from the host, port, and path provided by the web server. If this value attribute is true, the Url property is dynamically built by using the host and port provided by the incoming "Host" header and the path provided by the web server.

Example:

    <appSettings>
      <add key="aspnet:UseHostHeaderForRequestUrl" value="false" />
    </appSettings>
aspnet:UseLegacyEncryption

Specifies whether ASP.NET will sign payloads that are encrypted.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], ASP.NET will sign any payload that is encrypted, and it will verify cryptographic signatures before decrypting such payloads. Examples of these payloads might be ViewState, FormsAuth cookies, and ScriptResource.axd URLs. If this key value is true, ASP.NET will not sign payloads that are encrypted, and cryptographic signatures of such payloads will not be verified. The Encode and Decode APIs are unaffected by this switch; they have their own compatibility switch.

Example:

    <appSettings>
      <add key="aspnet:UseLegacyEncryption" value="false" />
    </appSettings>
Caution note Caution

Setting this attribute to true can pose a security risk.

aspnet:UseLegacyEventValidationCompatibility

Specifies the serialization format ASP.NET will use for the __EVENTVALIDATION field in Web Forms applications.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], the __EVENTVALIDATION field in Web Forms applications is serialized using a new format intended for 4.5 and later. If this switch is true, the __EVENTVALIDATION field uses a serialization format compatible with earlier versions of ASP.NET. This setting should only be set to true while migrating an application in a web farm deployment to .NET 4.5. This will enable pages generated by servers running 4.0 to be posted to servers running 4.5, and vice-versa.

Example:

    <appSettings>
      <add key="aspnet:UseLegacyEventValidationCompatibility" value="false" />
    </appSettings>
aspnet:UseLegacyFormsAuthenticationTicketCompatibility

Specifies whether ASP.NET will

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], ASP.NET serializes FormsAuth tickets by using a 4.0 serialization format. If this key value is true, ASP.NET uses an older serialization format.

Example:

    <appSettings>
      <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="false" />
    </appSettings>
Caution note Caution

Setting this attribute to true can pose a security risk.

aspnet:UseLegacyMachineKeyEncryption

Specifies whether ASP.NET will sign any payload that is encrypted via the MachineKey.Encode API.

Type:

Boolean

Default value:

false

Remarks:

If this key value is false [default], ASP.NET will sign any payload that is encrypted via the Encode API, and it will verify cryptographic signatures before decrypting such payloads. If this key value is true, ASP.NET will not sign payloads that are encrypted via the Encode API, and cryptographic signatures of such payloads will not be verified. ViewState, Forms authentication and similar areas of state management are unaffected by this key value; they have their own compatibility switch.

Example:

    <appSettings>
      <add key="aspnet:UseLegacyMachineKeyEncryption" value="false" />
    </appSettings>
Caution note Caution

Setting this attribute to true can pose a security risk.

aspnet:UseTaskFriendlySynchronizationContext

Specifies how asynchronous code paths in ASP.NET 4.5 behave.

Type:

Boolean

Default value:

false

Remarks:

If this key value is set to false [default], asynchronous code paths in ASP.NET 4.5 behave as they did in ASP.NET 4.0. If this key value is set to true, ASP.NET 4.5 uses code paths that are optimized for Task-returning APIs. Setting this compatibility switch is mandatory for WebSockets-enabled applications, for using Task-based asynchrony in Web Forms pages, and for certain other asynchronous behaviors.

Example:

    <appSettings>
      <add key="aspnet:UseTaskFriendlySynchronizationContext" value="false" />
    </appSettings>
aspnet:MaxAcceptLanguageFallbackCount

Controls how deep to look for a CultureInfo object from an HTTP Accept-Language header.

Type:

Int32

Default value:

3

Remarks:

For example, if you leave the default value of 3 and if an Accept-Header is received with “en-us, en, fr-FR, zh-CN”, ASP.NET will look for “en-us”, “en”, and “fr-FR” in that order, but if all three fail it won’t look for “zh-CN”.

Example:

    <appSettings>
      <add key="aspnet:MaxAcceptLanguageFallbackCount" value="3" />
    </appSettings>
aspnet:UseLegacyRequestUrlGeneration

Controls the behavior of HttpRequest.Url, which represents the current request. 

Type:

Boolean

Default value:

false

Remarks:

If this switch is false, the ASP.NET runtime generates a Uri that has better standards compliance than previous versions of ASP.NET.  If this switch is true, the runtime generates a Uri that is compatible with previous versions.

Example:

    <appSettings>
      <add key="aspnet:UseLegacyRequestUrlGeneration" value="false" />
    </appSettings>
PageInspector:ServerCodeMappingSupport

Specifies whether the Page Inspector is enabled in Visual Studio.

Type:

String

Default value:

Disabled

Remarks:

If the PageInspector:ServerCodeMappingSupport key value is set to Enabled in the Web application, the Page Inspector will be enabled, except if a retail attribute of the deployment element is set to true in the <system.web> section of the Machine.config file. If the retail attribute is not set in the Machine.config file and the PageInspector:ServerCodeMappingSupport key value is also not set, debug mode will determine whether the Page Inspector is enabled.

Example:

    <appSettings>
      <add key="PageInspector:ServerCodeMappingSupport" value="Disabled" />
    </appSettings>
ValidationSettings:UnobtrusiveValidationMode

Specifies how ASP.NET globally enables the built-in validator controls to use unobtrusive JavaScript for client-side validation logic.

Type:

UnobtrusiveValidationMode

Default value:

None

Remarks:

If this key value is set to "None" [default], the ASP.NET application will use the pre-4.5 behavior (JavaScript inline in the pages) for client-side validation logic. If this key value is set to "WebForms", ASP.NET uses HTML5 data-attributes and late bound JavaScript from an added script reference for client-side validation logic.

Example:

    <appSettings>
      <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
    </appSettings>
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.