Configuration of allowed request parameters

  Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic! Mail us feedback on this topic!  

In some cases, you may need to use super-secure configuration where any non-standard GET or POST parameter sent to your web site results in an error. This allows you to avoid some of the possible vulnerabilities, including cross-site scripting and SQL injection.

 

This functionality is only used for the web site, not for the administration interface.

 

 

How to configure the allowed parameters

 

First, you need to enable allowed parameter checking in the web.config file by setting the value CMSCheckParameters to true:

 

<add key="CMSCheckParameters" value="true" />

 

If you're not sure which parameters cause the problem, you can turn on reporting using the following web.config key:

 

<add key="CMSReportCheckParameters" value="true" />

 

All parameters are defined in the ~/parameters.config file. The schema of the file is described in the file itself and it's rather simple. For every page or site section, you need to define a new <location> section with path specifying the page and allowed form (POST) and query (GET) parameters. The following example allows URL parameter pagenumber in the whole products section of the web site:

 

<location path="/products/%">

         <queryparameters>

                 <allow param="pagenumber" />

         </queryparameters>

</location>

 

The path location specifies the path of the pages based on their alias path in Kentico CMS, while the page location is used for single pages that are not part of the Kentico CMS content (custom applications, etc.). The page location starts at the root of the web application and is used without slash  (/) at the beginning.

 

 

Default allowed parameters

 

The common parameters of ASP.NET web forms and URL parameters aliaspath and lang are allowed by default.

 

Page url: http://devnet.kentico.com/docs/devguide/index.html?configuration_of_allowed_request_parameters.htm