« Previous Next »

• 11-02-2008, 2:45 PM

  MikePixel Joined on 09-23-2008, 5:02 PM Posts 3

  Server Side Includes and Security Reply Contact I looked around the site for a forum search and couldn't find one.  I hope this hasn't been answered anywhere else.  If it has I apologize. My question is about server side includes and security.  I love to use includes for menus and footers for my websites, but my supervisor, who I respect a lot, said that I shouldn't use them because it just opens up security issues. I can understand his worries but I want to know from the IIS experts what risks I incur by using asp includes and whether or not there may be a better solution. Oh and I am using server 2003 and IIS 6. Thanks for your time, MikePixel CornerPixel

  Tags: Classical ASPiis6

• 11-02-2008, 5:10 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,831

  Re: Server Side Includes and Security Reply Contact I would recommend using include files.  What your supervisor is probably concerned about having connection strings in files named connectionString.inc or something similar, this could display sensative information.  All you need to do is make sure your includes have a .ASP extension, this will ensure your code is processed by the ASP.DLL and not display sensative information such as a connection string or other credentials.  If you can provide more information why your supervisor is concerned, I'm sure we could provide some direction. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-02-2008, 5:28 PM

  In reply to

  MikePixel Joined on 09-23-2008, 5:02 PM Posts 3

  Re: Server Side Includes and Security Reply Contact My supervisor agrees with me that if I am just using the following includes that there isn't much risk. <!--#include virtual="/includes/filename.asp"--> The only issue he has is that the site is just static content and allowing for any server side interaction makes us more vulnerable. He wants to stick with plain old html so we wouldn't have to worry at all.  He believes that just using asp extensions for includes is not worth it.     MikePixel CornerPixel

• 11-02-2008, 8:39 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,831

  Re: Server Side Includes and Security Reply Contact What you are describing falls into a 'management decision' vs. a technical one.  Technically if your site static content, then HTML is the best way to go.  There is a slight risk of being vulernable using ASP.  There has been one ASP exploit in recent years.  MS has a patch for it. Regardless, I think the topic should be not if you use HTML vs. ASP rather a security and locking down your server discussion.  If you don't need or use ASP, then turn off the functionality.  If your site is a brochure site, you can remove all the dynamic script mappings that support ASP, ASP.NET and others.   In the end, regardless how you go, I think the risk is about the same, it's splitting hairs.  If you are looking for a better, more secure way, HTML will win.  "A server is only as good as the person(s) administering it.".  Hope there is some advice in there. :) Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-02-2008, 9:26 PM

  In reply to

  MikePixel Joined on 09-23-2008, 5:02 PM Posts 3	Re: Server Side Includes and Security Reply Contact Thanks a bunch.  I really appreciate your time.  I will spend some time looking at IIS and server security best practices.  That way I have my bases covered when I am using ASP.net or ASP in the future. Thanks again for your time, MikePixel CornerPixel