Loading...

Knowledge Base
Save 25% on a custom website!

Server-Side Includes (SSI) Explained: What You Need to Know

Important:
  • This article assumes that you have sufficient coding knowledge for your website. If you need help, we recommend consulting with your web developer.
  • Before using Server-Side Includes (SSI), note that it is a feature supported by specific servers (for example, Nginx, Apache, LiteSpeed, etc.)

How Do Server-Side Includes (SSI) Work?

With Server-side includes (SSI), you can change web pages at the server level before they are shown to your site visitor's web browser. SSI is an HTML comment that directs your web server to dynamically generate data for a webpage whenever a data input is requested.

With Server-side includes explained, note that with no programming or CGI scripts, SSI, when applied to an HTML document, provides interactive, real-time features, such as:

  • Echoing current time, conditional execution based on logical comparisons
  • Querying or updating a database
  • Sending an email

An SSI includes a special sequence of characters, called tokens, on an HTML page. As the page is sent from the HTTP server to the requesting client, the server scans the page for these special tokens. When a token is found, the server interprets the data in the token and performs an action based on the token data.

Note: For Server-Side Includes (SSI) with Code Examples, check out Apache's support document.

Advantages and Disadvantages of using SSI

Advantages

  • Before using SSI, it is important to ensure that your web server supports it, as it may not be available to all web hosting providers.
  • Changing a common element (for example, modifying your navigation menu) will only require one update in your included file instead of updating each page on your website. Therefore making maintenance easier.
  • Using SSI to include common elements can improve your website's performance and speed because it reduces the amount of HTML code that needs to be served to a user's browser.

Disadvantages

  • Before using SSI, it is important to ensure that your web server supports it as it may not be available to all web hosting providers.
  • Since SSI is executed on the server side, if your server is not configured properly, there is a risk of server-side code injection. You should take appropriate security measures to avoid this. 
  • SSI can become complex if you have a large number of included files.

Security Considerations for Using SSI

To avoid server-side code injections or attacks, please take note of the following:

Consider Alternatives

There are other ways for you to load dynamic content into your web pages that you can prioritize over using SSI (for example, JavaScript, AJAX, etc.). That is to prevent SSI injection attacks.

Avoid Mixing SSI pages and User Input

If you need to incorporate SSI, refrain from including user-controllable data on pages that are processed for SSI directives. This will reduce the likelihood of an SSI attack.

Refrain from Using .shtml, .shtm, and .stm Pages

You can incorporate SSI into .htm and .html pages. However, using .stm, .shtm, and .shtml pages makes it easier for attackers to identify the server's vulnerability to SSI injection. 

Validate All User Input

It is important to validate any input users provide, even if you have decided to continue using SSI without .stm, .shtm, or .shtml pages. You should validate all user input against a list of allowed characters or strings. Additionally, validating user input on the server side is crucial, even if you have previously validated it on the client side. For instance, if your website has a login form, the username field should only accept characters present in a username and nothing else.

Review

With Server-Side Includes explained, understanding it is crucial if you use it to build your website. SSI allows dynamic content generation on web pages at the server level without programming or CGI scripts, offering features like echoing current times, querying databases, and sending emails. The benefits of using SSI include consistent web page appearance, ease of maintenance, and improved website performance. However, challenges such as the risk of server-side code injection and the complexity of numerous files are also critical to note. Security tips include prioritizing alternatives like JavaScript or AJAX, avoiding mixing SSI with user input, refraining from using certain file extensions (.shtml, .shtm, .stm) to reduce vulnerability, and validating all user inputs to prevent attacks.

Did you find this article helpful?

 
* Your feedback is too short

Loading...