BlueHost Server Side Includes (SSI)
Although BlueHost is only offering a single package of hosting plan, they support SSI or Server Side Includes. However, users are required to have a shtml file extension in order for them to be able to use SSI. For pages using .htm or .html extensions, users may need to have the capacity to manage SSI within these types of files. By default, the hosting structure of BlueHost has been setup in order to enable users to utilize the SSI in pages using .shtml file extension. However, if the pages are using .htm or .html, these file extensions will not take effect with BlueHost’s default setup.
On the other hand, BlueHost offers step by step instructions on how to allow SSI for non .shtml file extensions by adding a new HTML handler. By setting the handler the extension as .html and the handler is set to server – parsed, SSI can be allowed. This will instruct the server to process .html files in order for users to be able to utilize these directives.
Server Side Includes Security
SSIs are snippets or bits and pieces of code that helps not only on simplifying the aspect of maintaining a web site but also in making a web page more interactive for users. Because of this and its overall simplicity when it comes to implementation, a lot of web programmers and developers are attracted to it even if there are certain risks that must be recognized and avoided.
By using SSI in order to show environment variables as well as file statistics poses no risk for security as with utilizing the #include function as long as the directory where the included file is contained is not web accessible. Security risks may only manifest when the utilization of SSI is used for executing programs or related applications on the web server particularly when the #exec function is used. This may enable hackers to easily run commands so they can access or steal data, delete or totally corrupt the files. It is much safer to just disable the #exec function on the web server or users can limit its function to trusted users only. Obviously, this must only be used where it is absolutely necessary to avoid security risks while using SSI.
If it is totally unavoidable to run a program with SSI, it will be much safer to utilize the “virtual=” combined with #include instead of using the #exec directive. The parameter “virtual=” clearly specifies the target comparative with root directory of the server instead of the directory of the present file. In this manner, program files will not be included with web accessible files. But during situations wherein the web server has no root directory access, the directive #exec can be enabled or disabled in directories that have been specified by using appropriate parameters in htaccess file that is usually located in every directory. The file htaccess is the directory level counterpart of the root level configuration file. If the web page is hosted by external hosting providers like BlueHost or an ISP (internet service provider), access to the root directory of the web server is very unlikely and during these situations wherein htaccess files can be utilized.
Avoiding SSI Security Risks
One must know that the safest way is to have the minimum necessary functionality. Even if BlueHost is known for its secure web hosting services, SSI must only be activated on directories where it is highly needed. Parsing can be automatically disabled on certain directories especially on home directories of the user. Because the parameters for htaccess files also apply even to sub directories, SSI must only be activated on directories with HTML files that urgently need to be parsed for server side includes. In line with this, data that are considered as confidential must be kept in other directories that are not located in sub directories that have activated SSI parameters.
The same minimalist standard is also applicable to file permissions. Programs and applications that are called using SSI code must be located on directories with file permissions that are set to read, write, or execute for the user. For the group and other users, it must be set to read and execute only.
SSI offers simplicity of implementation and maintenance however; users must understand its full security risks and know how to avoid it. BlueHost is among the few web hosting providers that offer comprehensive web hosting features like SSI but it does not necessarily mean that users will rely their web security to BlueHost alone. There are other security features that are inclusive with BlueHost’s basic hosting package and all these are available even for those who will avail the discount. With a Bluehost domain coupon, users now can lower the monthly cost to just $3.95 per month and still enjoy a whole range of features including SSI support.