I have an IIS app that hosts webservices. Each service performs a different set of tasks. One of the service supports uploading files and I have set httpRuntime maxRequestLength and maxAllowedContentLength to around 2 GB. This also applies to other services hosted in the same application. Having such a high request limit does not make sense for them. To comply with OWASP requirement
V18: Web Services Verification Requirements
V18.4 Verify that all input is limited to an appropriate size limit.
I need to restrict the request limit for other services.
I have reviewed solutions such has having separate web app for each service or implementing custom logic in the service itself to reject the request after checking its length. With the first one, I will need to create several web apps and the second solution will let the massive request enter the IIS pipeline wasting resources which anyway will be rejected by the service.
What’s the best way to do this?