Best practices securing HTTP/HTTPS (continued) Configuration continued... IncludesNoExec Directive Do Not Remove the IncludesNoExec Directive. By default, the server-side includes module cannot execute commands. It is ill advised to change this setting unless you absolutely have to, as it could potentially enable an attacker to execute commands on the system. Restrict Permissions for Executable Directories. Be certain to only allow write permissions for the root user only for any directory containing scripts or CGIs. Also, always verify that any scripts you are running work as intended before putting them into production.