By default, ASP.NET will reject a request that’s larger than 4MB, but you can change this maximum by modifying the maxRequestLength setting in the web.config file. This sets the largest allowed file in kilobytes. The web server will refuse to process larger requests.
The following sample setting configures the server to accept files up to 10MB:
<?xml version=”1.0″ encoding=”utf-8″ ?>
<configuration>
<system.web>
<!– Other settings omitted for clarity. –>
<httpRuntime maxRequestLength=”10240″ />
</system.web>
</configuration>
When you allow an 10MB upload, your code won’t run until that full request has been received. This means a malicious server could cripple your server by sending large request messages to your application. Even if your application ultimately rejects these messages, the ASP.NET worker process threads will still be tied up waiting for the requests to complete. This type of attack is called a denial-of service attack, and the larger your allowed request size is, the more vulnerable your website becomes.