you can move the file above the root of your site

this would allow the file to still be included but would not allow someone to call it directly in a browser.

The thing I don't understand though is why you are so worried about it? If someone called this file it should just output a quote to the browser.

though maybe I am missing something.

I don't think that Apache's server-side include allows files to be included from above the current directory. (Just tried it, and had no luck.)

As for my reasons for wanting to secure script access, it's mostly because I don't want the sort of drain on my bandwidth that I've seen from hotlinking images. Not to mention the extra CPU usage it would cause.

you could use php includes instead, they can definitely include from anywhere

Yeah, I'm switching to that method now. Much uglier in the middle of the HTML markup, and it means converting the page to execute through PHP. So I'm very disappointed that SSI didn't offer a secure solution.

I think it is possible to use SSI without making the files publicly accessible, but I'm on shared hosting that doesn't allow me to configure Apache for such adventures.

Did you try putting the script into a separate (sub)directory, and then password-protecting that directory?

That should work if you're using the <!--#include virtual="/cgi-local/dosomething.pl?data/new-pid.csv" --> SSI invokation method.

Jim

I tried to do that and then make the directory "Deny from all", but that stopped Apache accessing the files too.

I'll try to password-protect the directory. There must be a way to do this.