UPDATE: Vincent Seguin, Team Leader at Coveo has notified me that this issue is fixed in the current version of Coveo as GET requests have been changed to POST. Great news!
When initially installing Coveo, you can expect to tweak your web.config to accommodate. This is because of Coveo's REST API and the large amount data it encodes into the request.
This resolves 500 and 404.15 errors related to both Coveo JS UI and Coveo for Sitecore's ContentSearch API.
Error: The length of the query string for this request exceeds the configured maxQueryStringLength value
Open you web.config and look under the *<system.web> > <httpRuntime /> > * node and increase both values as needed:
<system.web> <httpRuntime maxRequestLength="512000" executionTimeout="600" maxQueryStringLength="204800" enableKernelOutputCache="false" />
The above will fix 500 errors. We also need to fix 404.15 errors.
Error: 404.15 – Not Found: The request filtering module is configured to deny a request where the query string is too long
We also must also increase the url and query string values in the <requestLimits /> to address this:
<system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="5242880" maxQueryString="204800" /> </requestFiltering> </security>
Does increasing these values create a security risk? Not really. Limiting the lengths of URLs and query strings is primarily to limit to amount of code that could be injected as part of an attack. As long as your code has is not susceptible to injection attacks, this is not an issue.
We've penetration tested Coveo's REST API and found no such vulnerabilities.
This post was authored using Markdown for Sitecore.