
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
328
|
Chapter 10: Securing Web Servers
Static files don’t pose much of a security threat on the server side. The web server
just reads them and sends them to the requesting browser. Although there are many
security issues with web browsers, client security is outside the scope of this chapter.
Watch your browser vendor’s web site for security news, patches, and new versions.
Dynamic Content: Server-Side Includes (SSI)
A step up from purely static pages, server-side includes allow inclusion of other static
content, special dynamic content such as file-modification times, and even the out-
put from the execution of external programs. Unlike CGI scripts, there is no way to
pass input arguments to an SSI page.
SSI configuration
Apache needs to be told that an SSI file is not a lump of inert HTML, but should be
parsed for SSI directives. First, check that includes are permitted for at least some
files in this directory. Add this to httpd.conf or access.conf:
<Location /ssi_dir>
Options IncludesNoExec
</Location>
One way to differentiate HTML from SSI files is to use a special suffix such as .shtml
and associate it with Apache’s built-in MIME type for parsable content:
AddType application/x-server-parsed .shtml
or just assign the Apache handler directly:
AddHandler server-parsed .shtml
Using this