not that I know of.

Just like frames, they are regular html files, so people can link to them directly.

I'm a bit hazy with the precise procedure used by Apache to include the files, but you may be able to set the ownership of the files to the account under which the Apache process is running, then make the files readable only by that account. However, you are limited by the fact that the include files have to be in the document root.

Other server-side include methods such as PHP allow you to include files stored outside the document root, and thus the include files themselves are not available directly with an URL.

Included files are normally accessed by the server, and not via HTTP. So you should be able to block HTTP access using mod_rewrite without affecting that back-end access. I haven't tried it, but it's worth a shot.

Jim

Hello damlag.
>wondering if it's possible to hide the include files
The easiest thing to do is name then something that is hard to guess. For example, f23sdx.html instead of footer.html

Not perfect, but should be good enough.

Thanx guys for your posts.
Quadcity, this idea came in my mind also. that's what I'm probably gonna do, and maybe'll put into another folder "/inc3423/" or smth.

Thanx and good luck.

Set the file access permissions access to '600'

See, I have used some website mirroring software and have mirrored a couple of websites. I tried to find includes in those websites, but didn't find any. So I dare to think that people have hidden them somehow. As I'm planning to use SSIs I don't want people like me :) seeing those includes after mirroring my website.

PCInk, will chmoding to 600 help me to avoid this problem. I mean will it be possible to retrieve my includes or not.

thx.

I tested the method described in msg#4. It works fine.

Jim

PCInk,
I've tried to chmod to 600 and it doesn't work. Server simply can't parse those files and show error (just like when you set the wrong reference to an include file).

However, I tried to copy my site with mirror tools and good news is that it didn't download any includes and even folders that were not linked by any file.

So does that mean my includes and folders can be safe from someone who'll try to copy my site?

As others mentiond you should be able to change permissions so only server can see it. Try CHMOD 750. (CHMOD 600 sounds incorrect, it is only owner read and write, No owner execute, and no group rights)

Another solution: use robots.txt to dissallow the spiders from seeing it, so it would never get listed in search engines and make the file name not guessable.

encyclo: you should be able to place the file in other folders. You just have to call it with the right path from your HTML. I have done this before.

"So does that mean my includes and folders can be safe from someone who'll try to copy my site?"

Yes...inlcude file names are not visible to others. It is a server side process, so the the browser only sees the result of the SSI script.

Submitx,
thanx.

I've tried to chmod 750, but it's also incorrect. Includes are not parsed, cause "others" have no "read" rights. I've left as it was 644 (owner: read-write, group: READ, others: READ) and it seems fine.

I've put includes in a separate folder and they seem to work well. I'll configure robots.txt as you said, so spiders don't index my include folder. Also, I thought that naming a file "top-secret" and showing in robots.txt that you don't want spiders to index it, could attract amateuer hackers to try to get in. So naming it like "folder" or putting includes in "cgi-bin" folder would be appropriate.

I'll also put index file in that folder and put some text in it like "You are not authorized to view this page" so it little confused readers.

what do you think

Like if I have an include:
www.mydomain.com/footer.html
people can type this URL and see my include.

First of all, people will never learn the name of this file, unless you tell them. If you want to reduce the chance of them finding it by accident, you can give it a slightly less common name.

Is there some way to hide server side includes?

I hope I remember the details correctly:
If you use

[b]<!--#include [red]virtual[/red]="/footer.html" -->[/b]

, then the file path will be relative to your DOCUMENT_ROOT, ie. in the directory tree accessible by visitors.
If you use

[b]<!--#include [blue]file[/blue]="/some/where/footer.html" -->[/b]

, then the file path will be absolute to your file system. In that case, you could place the include files in an otherwise inaccessible location. Of course, that's not a method that will make maintenance particularly easy...

Needless to say that in either case, the contents (or processing results) of the included file will be visible to all visitors as part of the including file. That's why you use includes in the first place, after all.... ;)

Roll back to message #4 - you don't need to change the permissions (which need to be 644 for the include files). In fact, you might not even need mod_rewrite: you could try simply denying HTTP access in your .htaccess for the include directory, and the includes should still work just fine.

Ok. Thanx guys everything's clear now.

Last question though.

When I put include in a folder, which is in root dir and try to access it from another folder, which is also in root dir, I type something like this:

<!--#include virtual="/includes/header.html"-->

But when I test it, it doesn't work. In all tutorials it's suggested to type forward slash at the beginning. But when I type it it doesn't work.

Somehow by accident I've discovered that typing:

<!--#include virtual="../includes/header.html"-->

works great. So is this correct or not? If it's correct then why everybody says to put forward slash at the beginning of the path?

why everybody says to put forward slash at the beginning of the path?

If you use a virtual include, the first / is the document root of your site (absolute addressing). The ../ is the directory above your current directory (relative addressing). If you're one level down from the document root, then the two forms should be equivalent. If this isn't the case for your site, then the server doesn't agree with you about what the document root is. That may either be caused by a configuration problem, or by a misunderstanding on your side.

I have installed Apache under my Windows as localhost.

I have root directory. In root directory there are 2 folders. One named "folder" other "includes". In "folder" there's a HTML file, which calls include. In "include" folder, there's the actual include "footer.txt". So both: HTML file and include are in the same level, just different folders.

Now when in "HTML file" I put
<!--#include virtual="/include/footer.txt"-->
The / sign shows the root, I understand that. This should work, however when I try this thing on localhost it doesn't. But this:
<!--#include virtual="../include/footer.txt"-->
works fine. (Logically, both should work...)

Anyway, when I try to test on real server both work fine. So which method is better to use? Maybe latter one, because it works on my localhost and on real server.

What do you say...