When running a Web Agent protecting one application, and redirecting requests to another Web Agent, then the request fails to say that the URL is too long. Is there are security concerns to raising the IIS MaxURL to 8k?
Web Agent 12.52SP1CR10;
There are any known security concerns from our documentation, and Microsoft documentation either. It seems there's no limit to the value according to Microsoft (1).
More, some experiences have been reported where IIS maxQueryString configuration might help to handle long URLs (2)(3).
The feature maxURL is something from IIS functionality (4).
There's no known limit at the Web Agent level.
There's no feature known as MaxURL for Apache.
Be aware that there are some limitations on Apache and also on the browsers too (5)(6).
(1)
Request Limits <requestLimits>
(2)
404 error with login.fcc with SP Initiated SAML 2.0
(3)
iOS Gmail app shows blank page on login.fcc
(4)
Request Limits <requestLimits>
maxUrl Optional uint attribute.
Specifies maximum length of the URL, in bytes.
The default value is 4096.
(5)
What is apache's maximum url length?
The default limit for the length of the request line is 8190 bytes
(see LimitRequestLine directive). And if we subtract three bytes for
the request method (i.e. GET), eight bytes for the version
information (i.e. HTTP/1.0/HTTP/1.1) and two bytes for the
separating space, we end up with 8177 bytes for the URI path plus
query.
[...]
Did you have to recompile to use such large values? My version
(2.2.15) silently ignores LimitRequestLine directives over 8190
unless recompiled with the added CFLAG "-D
DEFAULT_LIMIT_REQUEST_LINE=16384" (then it allows up to 16384)
(6)
What is the maximum length of a URL in different browsers?
Extremely long URLs are usually a mistake. URLs over 2,000
characters will not work in the most popular web browsers. Don't use
them if you intend your site to work for the majority of Internet
users.
[...]
As of Jan 2020, the advice still stands. Even though IE11 may
possibly accept longer URLs, the ubiquity of older IE installations
plus the search engine limitations mean staying under 2000 chars is
the best general policy.