4.4 Ensure non-ASCII characters in URLs are not allowed - Default


This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters.

It is recommended that requests containing non-ASCII characters be rejected, where possible.


This feature can help defend against canonicalization attacks, reducing the potential attack surface of servers, sites, and/or applications.


Requests containing non-ASCII characters be rejected.


The AllowHighBitCharacters Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:

Open Internet Information Services (IIS) Manager

In the Connections pane, go to the connection, site, application, or directory to be configured

In the Home pane, double-click Request Filtering

Click Edit Feature Settings... in the Actions pane

Under the General section, uncheck Allow high-bit characters

Note: Disallowing high-bit ASCII characters in the URL may negatively impact the functionality of sites requiring international language support.
Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /allowHighBitCharacters:false


Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering' -name 'allowHighBitCharacters' -value 'False'

Default Value:

When Request Filtering is installed on a system, the default behavior is to allow high-bit characters in URI.

See Also


Item Details


References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: 97b212995818b17f32f7469812a323f3f8cba5f84988b4a7380bb931ecd632b0