Best practices securing HTTP/HTTPS (continued)...


Server Side Includes

Server Side Includes (SSI) present a server administrator with several potential security risks.

Denial of Service - all SSI-enabled files have to be parsed by Apache while this load increase is minor, in a shared server environment it can become significant.

Enabling SSI for files with .html or .htm extensions can be dangerous.  SSI-enabled files should have a separate extension, such as the conventional .shtml. This helps keep server load at a minimum and allows for easier management of risk.  To isolate the damage a wayward SSI file can cause, a server administrator can enable suexec.

SSI files also pose the same risks that are associated with CGI scripts in general. Using the "exec cmd" element, SSI-enabled files can execute any CGI script or program under the permissions of the user and group Apache runs as, as configured in httpd.conf.