So you need people to upload files to your web application, but you’re a smart developer and you want to make sure you’re not vulnerable to any kind of DoS. Luckily Microsoft has built a setting into the <httpRuntime> element of ASP.NET called maxRequestLength to govern the maximum size of an HTTP request. Great, problem solved! Well, here’s the bad news: if someone does exceed that length you can’t handle that error gracefully in any way shape or form.
The ASP.NET runtime will immediately reject the request based on the Content-Length HTTP header and will not execute any other part of the ASP.NET pipeline. This includes anything you’ve set for <customErrors>. The only thing I can think of to do is to customize the 500 status in IIS, but it kinda stinks that I have to resort to configuring IIS to work around this. 🙁