ASP.NET appSettings Element
The <appSettings> element in the configuration contains settings to customize a web application. You can add, remove and clear an application setting as a key/value pair within the <appSettings> element.
<appSettings
<[add|clear|remove] key="configuration key value" value="value" />
</appSettings>
appSettings Configuration Keys
aspnet:AllowAnonymousImpersonation
Specifies what type of impersonation token is used when the incoming request is unauthenticated.Type:
Default value:
false
Remarks:
This appSettings key relates specifically to SharePoint. When an application is executing potentially untrusted code within its AppDomain, attention must be paid to the identity the untrusted code is running under. If this key value is false [default], certain pipeline events will use the process identity’s impersonation token if the incoming request is unauthenticated. If this key value is true, those pipeline events will use an anonymous impersonation token if the incoming request is unauthenticated.
Example:
<appSettings> <add key="aspnet:AllowAnonymousImpersonation" value="false" /> </appSettings>Important
This setting should only be modified by advanced developers.
aspnet:AllowAsyncDuringSyncStages
Specifies whether ASP.NET will perform extra checks during runtime to catch common mistakes that developers make while performing asynchronous coding.Type:
Default value:
false
Remarks:
If this key value is false [default] and the UseTaskFriendlySynchronizationContext key value is true, ASP.NET will perform extra checks during runtime. These checks catch common mistakes that are made in asynchronous coding. Otherwise, no such checks are performed. The checks detect mistakes such as trying to start an asynchronous operation during execution of a synchronous page or causing an IHttpModule or IHttpAsyncHandler to complete when there are still outstanding asynchronous operations. Such mistakes could lead to deadlocks or could hamper performance of an ASP.NET application.
Example:
<appSettings> <add key="aspnet:AllowAsyncDuringSyncStages" value="false" /> </appSettings>aspnet:AllowRelaxedHttpUserName
Specifies how ASP.NET synchronizes the client’s username between the managed (ASP.NET) and native (IIS) layers of the web server.Type:
Default value:
false
Remarks:
If this key value is false [default], ASP.NET checks the client’s username before it performs this synchronization step. If this key value is true, ASP.NET performs no check.
Example:
<appSettings> <add key="aspnet:AllowRelaxedHttpUserName" value="false" /> </appSettings>Warning
Setting this attribute to true can pose a security risk.
aspnet:AllowRelaxedRelativeUrl
Specifies how ASP.NET login pages will redirect to a return URL whose destination is outside the hosted application.Type:
Default value:
false
Remarks:
If this key value is false [default], ASP.NET login pages will not redirect to a return URL whose destination is outside the hosted application. If this key value is true, ASP.NET login pages will perform no such check on the return URL and will redirect to it regardless.
Example:
<appSettings> <add key="aspnet:AllowRelaxedRelativeUrl" value="false" /> </appSettings>Warning
Setting this attribute to true can pose a security risk.
aspnet:AllowRelaxedUnicodeDecoding
Specifies whether ASP.NET will perform additional Unicode validation on incoming client-supplied data.Type:
Default value:
false
Remarks:
If this key value is false [default], ASP.NET will perform additional Unicode validation on incoming client-supplied data. If this key value is true, ASP.NET will not perform extra validation.
Example:
<appSettings> <add key="aspnet:AllowRelaxedUnicodeDecoding" value="false" /> </appSettings>aspnet:AllowUtf7RequestContentEncoding
Specifies whether clients can specific an encoding for the Content-Encoding header.Type:
Default value:
false
Remarks:
By default, ASP.NET allows clients to specify the text encoding of incoming payload data. Clients can send this information via the Content-Encoding header, and ASP.NET reflects this information via the ContentEncoding property. If key value is false [default], clients cannot use the Content-Encoding header to request that ASP.NET treat the incoming payload as UTF-7. If key value is true, clients can specify any encoding (including UTF-7) for the Content-Encoding header, and ASP.NET will try to interpret the incoming payload using that encoding. For more information about UTF-7, see the UTF7Encoding class.
Example:
<appSettings> <add key="aspnet:AllowUtf7RequestContentEncoding" value="false" /> </appSettings>aspnet:DoNotDisposeSpecialHttpApplicationInstances
Specifies whether ASP.NET disposes of "special" instances of all registered IHttpModule types that are used to perform application instantiation.Type:
Default value:
false
Remarks:
When an ASP.NET application is first starting, "special" instances of all registered IHttpModule types are created. These special instances are used to perform application instantiation. These special instances are not actually used for servicing requests. If key value is false [default], these special instances are disposed (IHttpModule implements IDisposable) when the application shuts down. If this key value is true, these special instances are not disposed.
Example:
<appSettings> <add key="aspnet:DoNotDisposeSpecialHttpApplicationInstances" value="false" /> </appSettings>aspnet:FormsAuthReturnUrlVar
Specifies the return URL to use after Forms authentication has been completed.Type:
Default value:
[empty string]
Remarks:
This appSettings key relates specifically to SharePoint. When this key value is set, the value will be used as the return URL after the client of the web application has completed authentication (logged via ASP.NET membership). If this value is left empty, after completing authentication the client will be redirected based on the ReturnUrl query string parameter used when authenticating.
Example:
<appSettings> <add key="aspnet:FormsAuthReturnUrlVar" value="" /> </appSettings>aspnet:JavaScriptDoNotEncodeAmpersand
Specifies whether the default built-in JavaScript string encoding routines will encode the ampersand ('&') character.Type:
Default value:
false
Remarks:
If this key value is false [default], the default built-in JavaScript string encoding routines will encode the ampersand ('&') character as "\u0026", which is the JavaScript-escaped form of that character. If key value is true, the default built-in JavaScript string encoding routines will not encode the ampersand character.
Example:
<appSettings> <add key="aspnet:JavaScriptDoNotEncodeAmpersand" value="false" /> </appSettings>Warning
Setting this attribute to true can pose a security risk.
aspnet:MaxConcurrentCompilations
Controls parallel compilation of non-dependencies in web directories.Type:
Default value:
1
Remarks:
If this key value is "0", all server cores will be used for concurrent compilations. If the key value is "1" [default], concurrent compilations will be disabled. If the key value is "2" or more, concurrent core compilation will be explicitly set to this value and will act as the max value.
Users with available cores (not shared hosting) can use this setting to improve startup times. If possible, set this application setting to the number of cores on the server. This setting is specifically intended for 4.0 applications that want to get the benefit of current compilations, however as 4.0 applications they are unable to set the 4.5 specific attribute on the compilation element. Also, this application setting allows applications to specifically opt out when deployed to hosts running 4.5.
Example:
<appSettings> <add key="aspnet:MaxConcurrentCompilations" value="1" /> </appSettings>aspnet:MaxHttpCollectionKeys
Limits the maximum number of items that can be present in any of the client-provided dictionaries of the HttpRequest object.Type:
Default value:
1000
Remarks:
The client-provided dictionaries include HttpRequest.Files, HttpRequest.Form, HttpRequest.Cookies, HttpRequest.QueryString, HttpRequest.Headers, HttpRequest.ServerVariables.
Example:
<appSettings> <add key="aspnet:MaxHttpCollectionKeys" value="1000" /> </appSettings>Warning
Setting this attribute to too large a number can pose a security risk.
aspnet:MaxJsonDeserializerMembers
Specifies the limit of the maximum number of items that can be present in any dictionary deserialized by the JavaScriptSerializer type.Type:
Default value:
1000
Remarks:
Example:
<appSettings> <add key="aspnet:MaxJsonDeserializerMembers" value="1000" /> </appSettings>Warning
Setting this attribute to too large a number can pose a security risk.
aspnet:RestrictXmlControls
Specifies how ASP.NET will load XSLTs.Type:
Default value:
false
Remarks:
If this key value is false [default], ASP.NET’s XML controls use XslTransform for XSLT operations. If this key value is true, ASP.NET’s XML controls use XslCompiledTransform for XSLT operations.
Example:
<appSettings> <add key="aspnet:RestrictXmlControls" value="false" /> </appSettings>aspnet:ScriptResourceAllowNonJsFiles
Specifies whether the ScriptResource.axd handler can serve static files from the hard drive if a Web Forms page contains the markup <asp:ScriptReference Path="~/the-file.ext" />.Type:
Default value:
false
Remarks:
The ScriptResource.axd handler can serve arbitrary static files from the hard drive. If this value attribute is false [default], ScriptResource.axd will not serve requests for files unless the file has a .js extension. If this value attribute is true, ScriptResource.axd will serve requests for any file.
Example:
<appSettings> <add key="aspnet:ScriptResourceAllowNonJsFiles" value="false" /> </appSettings>Warning
Setting this attribute to true can pose a security risk. Malicious clients may be able to read sensitive files from your web site.
aspnet:UpdatePanelMaxScriptLength
Specifies a JSON payload size limit value that the ScriptManager will use to temporarily override the limit that the JavaScriptSerializer will allow when sending large JSON payloads to the client.Type:
Default value:
0
Remarks:
The JavaScriptSerializer type has a limit on the maximum JSON payload size it can produce or consume. This limit defaults to 2MB and is configurable via the MaxJsonLength property. The ScriptManager type uses JavaScriptSerializer internally. If this key value is set to a value greater than 0, ScriptManager will temporarily override the limit that the JavaScriptSerializer will allow when sending large JSON payloads to the client, using the provided key value as the JSON payload size limit. If this switch is set to 0, ScriptManager will not override the JavaScriptSerializer default limits.
Example:
<appSettings> <add key="aspnet:UpdatePanelMaxScriptLength" value="0" /> </appSettings>aspnet:UseHostHeaderForRequestUrl
Specifies how the Url property is dynamically built. By default, the Url property is dynamically built from the host, port, and path provided by the web server.Type:
Default value:
false
Remarks:
If this value attribute is false [default], the Url property is dynamically built from the host, port, and path provided by the web server. If this value attribute is true, the Url property is dynamically built by using the host and port provided by the incoming "Host" header and the path provided by the web server.
Example:
<appSettings> <add key="aspnet:UseHostHeaderForRequestUrl" value="false" /> </appSettings>aspnet:UseLegacyEncryption
Specifies whether ASP.NET will sign payloads that are encrypted.Type:
Default value:
false
Remarks:
If this key value is false [default], ASP.NET will sign any payload that is encrypted, and it will verify cryptographic signatures before decrypting such payloads. Examples of these payloads might be ViewState, FormsAuth cookies, and ScriptResource.axd URLs. If this key value is true, ASP.NET will not sign payloads that are encrypted, and cryptographic signatures of such payloads will not be verified. The Encode and Decode APIs are unaffected by this switch; they have their own compatibility switch.
Example:
<appSettings> <add key="aspnet:UseLegacyEncryption" value="false" /> </appSettings>Warning
Setting this attribute to true can pose a security risk.
aspnet:UseLegacyEventValidationCompatibility
Specifies the serialization format ASP.NET will use for the __EVENTVALIDATION field in Web Forms applications.Type:
Default value:
false
Remarks:
If this key value is false [default], the __EVENTVALIDATION field in Web Forms applications is serialized using a new format intended for 4.5 and later. If this switch is true, the __EVENTVALIDATION field uses a serialization format compatible with earlier versions of ASP.NET. This setting should only be set to true while migrating an application in a web farm deployment to .NET 4.5. This will enable pages generated by servers running 4.0 to be posted to servers running 4.5, and vice-versa. Once the migration is complete, this key must be removed or be set back to false.
Example:
<appSettings> <add key="aspnet:UseLegacyEventValidationCompatibility" value="false" /> </appSettings>aspnet:UseLegacyFormsAuthenticationTicketCompatibility
Specifies whether ASP.NET willType:
Default value:
false
Remarks:
If this key value is false [default], ASP.NET serializes FormsAuth tickets by using a 4.0 serialization format. If this key value is true, ASP.NET uses an older serialization format.
Example:
<appSettings> <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="false" /> </appSettings>Warning
Setting this attribute to true can pose a security risk.
aspnet:UseLegacyMachineKeyEncryption
Specifies whether ASP.NET will sign any payload that is encrypted via the MachineKey.Encode API.Type:
Default value:
false
Remarks:
If this key value is false [default], ASP.NET will sign any payload that is encrypted via the Encode API, and it will verify cryptographic signatures before decrypting such payloads. If this key value is true, ASP.NET will not sign payloads that are encrypted via the Encode API, and cryptographic signatures of such payloads will not be verified. ViewState, Forms authentication and similar areas of state management are unaffected by this key value; they have their own compatibility switch.
Example:
<appSettings> <add key="aspnet:UseLegacyMachineKeyEncryption" value="false" /> </appSettings>Warning
Setting this attribute to true can pose a security risk.
aspnet:UseTaskFriendlySynchronizationContext
Specifies how asynchronous code paths in ASP.NET 4.5 behave.Type:
Default value:
false
Remarks:
If this key value is set to false [default], asynchronous code paths in ASP.NET 4.5 behave as they did in ASP.NET 4.0. If this key value is set to true, ASP.NET 4.5 uses code paths that are optimized for Task-returning APIs. Setting this compatibility switch is mandatory for WebSockets-enabled applications, for using Task-based asynchrony in Web Forms pages, and for certain other asynchronous behaviors.
Example:
<appSettings> <add key="aspnet:UseTaskFriendlySynchronizationContext" value="false" /> </appSettings>aspnet:MaxAcceptLanguageFallbackCount
Controls how deep to look for a CultureInfo object from an HTTP Accept-Language header.Type:
Default value:
3
Remarks:
For example, if you leave the default value of 3 and if an Accept-Header is received with “en-us, en, fr-FR, zh-CN”, ASP.NET will look for “en-us”, “en”, and “fr-FR” in that order, but if all three fail it won’t look for “zh-CN”.
Example:
<appSettings> <add key="aspnet:MaxAcceptLanguageFallbackCount" value="3" /> </appSettings>aspnet:UseLegacyRequestUrlGeneration
Controls the behavior of HttpRequest.Url, which represents the current request.Type:
Default value:
false
Remarks:
If this switch is false, the ASP.NET runtime generates a Uri that has better standards compliance than previous versions of ASP.NET. If this switch is true, the runtime generates a Uri that is compatible with previous versions.
Example:
<appSettings> <add key="aspnet:UseLegacyRequestUrlGeneration" value="false" /> </appSettings>PageInspector:ServerCodeMappingSupport
Specifies whether the Page Inspector is enabled in Visual Studio.Type:
Default value:
Disabled
Remarks:
If the PageInspector:ServerCodeMappingSupport key value is set to Enabled in the Web application, the Page Inspector will be enabled, except if a retail attribute of the deployment element is set to true in the <system.web> section of the Machine.config file. If the retail attribute is not set in the Machine.config file and the PageInspector:ServerCodeMappingSupport key value is also not set, debug mode will determine whether the Page Inspector is enabled.
Example:
<appSettings> <add key="PageInspector:ServerCodeMappingSupport" value="Disabled" /> </appSettings>ValidationSettings:UnobtrusiveValidationMode
Specifies how ASP.NET globally enables the built-in validator controls to use unobtrusive JavaScript for client-side validation logic.Type:
Default value:
None
Remarks:
If this key value is set to "None" [default], the ASP.NET application will use the pre-4.5 behavior (JavaScript inline in the pages) for client-side validation logic. If this key value is set to "WebForms", ASP.NET uses HTML5 data-attributes and late bound JavaScript from an added script reference for client-side validation logic.
Example:
<appSettings> <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" /> </appSettings>