Skip to content 
SSI Hosting integrates Server Side Includes directly into static HTML files and thus delivers finished HTML code without client-side dependencies. I will show you how to activate SSI, use typical directives and implement the webserver configuration on Apache cleanly.
Key points
SSI makes recurring page parts maintainable and speeds up delivery if the web server is configured correctly.
- Includes bundle header, footer, navigation.
- .htaccess enables parsing for .html and .shtml.
- Security through restrictive rights and NOEXEC.
- Performance benefits from caching and NVMe.
- Compatibility with Apache and shared hosting.
With just a few directives, you can build modular pages and significantly reduce maintenance work without having to use a CMS. In this guide, I focus on clear examples, solid Practice and reliable configurations for fast results.
What are Server Side Includes (SSI)?
Serverincludes are instructions in the HTML that the web server interprets before delivery. The code is in comments such as and ends up as finished markup in the browser. This saves you JavaScript logic for repeated blocks and gives you clean, indexable content. The syntax always starts with <!--#, uses lowercase letters and requires quotation marks for the parser to work correctly. I keep the commands minimal so that the overhead remains low and the Maintenance remains clear.
Requirements and webserver configuration
Apache the module mod_include must be active for SSI to work. Many hosts only parse .shtml; with a suitable .htaccess you also activate parsing for .html. Also check whether your package AllowOverride is allowed for your directory, otherwise the file will not work. To choose the right stack, it is worth taking a look at Apache, Nginx or LiteSpeed, because SSI is based on Apache on the server side. I pay attention to the Configuration always security, performance and future scaling.
Granular Apache configuration without .htaccess
Best Practice in your own server environments: Enable SSI centrally in the vHost or in the Apache configuration and AllowOverride None use. This saves you having to read in the .htaccess and retain control over permitted options.
ServerName example.org
DocumentRoot /var/www/example/public_html
Options +IncludesNOEXEC
AllowOverride None
Require all granted
AddOutputFilter INCLUDES .html
# Optional: Parse only selected files
Options +IncludesNOEXEC
AddOutputFilter INCLUDES .html
# Alternative, selective activation: XBitHack (see below)
# XBitHack full
In shared hosting environments, you stay with .htaccess, on my own servers, however, I prefer to keep the configuration bundled in the vHost.
Setup step by step
Preparation begins in the document master, usually public_html. Create a directory /includes/ write there your header.html and footer.html and use absolute paths in the directives. Then create the .htaccess in the root and enter the following lines so that Apache parses HTML files on SSI:
AddType text/html .html
AddOutputFilter INCLUDES .html
Options +Includes
AddHandler server-parsed .html
Now you can integrate blocks into any pages, e.g. . After that, I always clear caches in the browser and server-side caches to safely save changes. check.
Use include virtual vs. include file correctly
Choice of the variant determines flexibility and access protection:
- include virtual uses URL paths (e.g.
/includes/header.html), therefore runs through rewrites, access rules and can cleanly resolve absolute paths. Suitable if fragments may be visible on the web or you deliberately work via the URL space. - include file reads directly from the file system and is Relative to the current file (no leading slash). It ignores URL rewrites and is ideal for internal Fragments that should not be directly accessible. Use unique file names such as
header.inc.htmland place it in a subdirectory of the page, such asincludes_priv/.
A typical pattern for private fragments:
# In the /includes_priv/ subfolder of the project:
# .htaccess (block access externally)
Require all denied
The browser cannot retrieve the files, but SSI continues to read them locally. I avoid nested paths and keep file-The references should be as flat as possible so that the project remains clear.
Security and authorizations with SSI
Security starts with rights: Set files to 644 and folders on 755, to avoid accidental releases. Avoid #exec consistently, because execution rights open the door to infiltration. In shared environments, I use Options +IncludesNOEXEC, to exclude script calls. Sensitive files such as .env or configurations are locked with an additional .htaccess in the directory. This significantly reduces the risk and keeps the Control about integrated content.
Hardening: Scope, headers and clean boundaries
Scope Keep it tight: Only allow SSI where you need it. In large projects, I limit parsing with FilesMatch to specific patterns, e.g. *.inc.html or *.shtml. In addition, I set security headers globally, because finished HTML output benefits directly from them:
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Content-Security-Policy "default-src 'self'"
I separate publicly accessible fragments (e.g. footers) and internal elements (e.g. variable files) cleanly so that rules remain clear and audits are quick.
Practical SSI examples for projects
Example 1: A global header. Place /includes/header.html and bind it with in every page. Example 2: A footer with copyright notice via . Example 3: A date stamp above in the sidebar. Example 4: Last change to a file with for transparent up-to-dateness. I keep the paths consistently absolute so that the integration in different directory depths is reliable. works.
Variables, formatting and simple logic (XSSI)
directives like set, echo, config and if are sufficient for many cases without slipping into application logic.
<!-- Ausgabeformat für Datum/Größen setzen -->
<!--#config timefmt="%d.%m.%Y, %H:%M" sizefmt="abbrev" -->
<!-- Eigene Variablen definieren und ausgeben -->
<!--#set var="site_env" value="production" -->
<!--#set var="build_date" value="2026-03-10 12:30" -->
Build: <!--#echo var="build_date" --> (Env: <!--#echo var="site_env" -->)
<!-- Einfache Bedingungen -->
<!--#if expr="$site_env = /production/" -->
<p><strong>Live hint:</strong> Productive environment</p>
<!--#else -->
<p>Staging/Test</p>
<!--#endif -->
<!-- Umgebungsvariablen inspizieren (Debug) -->
<pre><!--#printenv --></pre>
I keep logic flat, avoid nesting and document variables in one place (e.g. includes_priv/vars.inc.html), which I received via file into each page.
Performance, caching and CDN with SSI
Performance benefits from SSI because the server outputs finished HTML code and the browser has less work to do. I supplement this with file compression via mod_deflate or mod_brotli, so that transmissions remain small. Server-side caching at proxy or app accelerator level can additionally buffer HTML results. A CDN helps with global distribution, while SSI parsing continues to take place on the origin server. The correct sequence remains important: first render includes, then the finished markup in the cache hold.
Cache header, ETag and targeted parsing
Header determine how browsers and proxies reuse results. For dynamic fragments, I use moderate max-age values and permitted stale caching:
Header set Cache-Control "public, max-age=600, stale-while-revalidate=30"
Header unset Pragma
# Standardize or deactivate ETags to avoid inconsistencies
FileETag MTime Size
If you do not have all .html but only specific files, you save resources. Two ways have proven themselves:
- FilesMatch approach: Only
*.inc.htmland parse these fragments pervirtualorfileintegrate. - XBitHack: With
XBitHack fullonly files with the execution bit set are parsed. In addition, Apache sets the Last-Modified-header based on the file timestamp, which simplifies validation.
# Selective parsing via XBitHack
XBitHack full
# "mark" file via chmod +x
# chmod +x index.html
After making changes, I always test whether Last-Modified and cache behavior behave as expected so that users see new content without hard reloads.
SSI vs. PHP and CMS
Comparison turns out like this: SSI is suitable for modular, static pages with a few dynamic sprinkles. PHP covers application logic, forms or database access, but requires more maintenance. A CMS provides editing functions, but costs resources and requires regular updates. For landing pages, documentation and small websites with recurring modules, I consider SSI to be the lean solution. Before I make a decision, I check the content and the mix of static and dynamic pages, so that the architecture fits the target and can be easily scalable remains.
Migration path and hybrid approaches
Pragmatic switch: Start with header/footer as includes, add navigation and recurring teasers and leave special logic in PHP or your CMS. In this way, you can gradually reduce templating duplications without disrupting editorial processes. For completely static areas (e.g. documentation), you can go SSI-first and embed dynamic islands (forms, search) via independent endpoints. I keep the cut clear so that each layer does exactly what it is built for.
Hosting selection for SSI projects
Selection depends on Apache availability, mod_include, AllowOverride and fast NVMe storage. I pay attention to free .htaccess-usage so that I can use includes for .html can be activated. Plans with sufficient CPU clock provide short response times, which makes SSI even more attractive. Switching options without migration make upgrades easier if your project grows. The following table shows typical features of plans that SSI performs well support.
| Tariff | Price/month | Memory | WordPress pages | SSI-capable |
|---|---|---|---|---|
| Starter | 10 € | 10 GB NVMe | 1 | Yes (Apache) |
| Pro | 47,60 € | 75 GB NVMe | 5 | Yes (Apache) |
| Business | 95,20 € | 150 GB NVMe | 10 | Yes (Apache) |
I don't plan resources too tightly so that caches work and reserves remain. If you add PHP or CMS later on, you benefit from headroom in RAM and CPU without the Stability to risk.
Fault diagnosis and troubleshooting
Problems often appear as „raw“ SSI comments in the HTML source code. In this case, the server does not parse the file, usually missing AddOutputFilter INCLUDES .html or the MIME type is incorrect. Also check whether the file is saved as text/html and no editor quotation marks interfere. Absolute paths prevent ../-references come to nothing. I look at the server logs last, because that's where the concrete clues are that quickly lead me to the Cause lead.
Advanced troubleshooting: typical pitfalls
500 Internal Server Error to Options +Includes in .htaccess often indicates AllowOverride-restrictions. Solution: Have the option set on the server side or ask the hoster for approval. 403 Forbidden at include virtual indicates access restrictions in the target directory; in such cases it is better to use include file and block the source directory for HTTP access. Character set or BOM problems (invisible characters at the beginning of the file) can lead to strange output - save fragments as UTF-8 without BOM. If you encounter unusual whitespaces in minified code, check if your build process removes comments/SSI directives. For debug sessions I temporarily activate , to inspect headers and variables, and then deactivate it again.
Reverse proxy and modern setups
Architectures with an upstream proxy such as Nginx or Traefik allow Apache to render in the background. The proxy takes care of TLS, caching and compression, while Apache parses includes and delivers finished HTML. This allows you to combine low latency with the flexibility of SSI. Read the overview of Reverse proxy setups, before you plan your routing. I like to start with a simple chain and expand step by step so that I can clearly measure effects and determine the Performance in a targeted manner.
Compatibility and operating modes
CompatibilityApache is the target system for the SSI usage described here. Many hosters use LiteSpeed as an Apache replacement; the common SSI syntax is usually supported. Nginx has its own SSI features with a different syntax; in mixed environments, Nginx typically performs proxy tasks, while Apache handles SSI parsing. With Apache MPM I prefer event for static/SSI-heavy sites (in combination with PHP-FPM), as it keeps connections more efficient. I only use Prefork where legacy modules make it necessary.
Deployment, versioning and quality assurance
Process keep clean: Fragments and variable files belong in version control. I define standards (file extensions such as .inc.html, Directory structure /includes/ and /includes_priv/) and check with each commit whether includes can be resolved. A small CI step can upload a staging build, clear caches and retrieve a health page with test includes. A minimal test is quickly built:
<!-- test.shtml -->
<!--#config timefmt="%Y-%m-%d %H:%M:%S" -->
Server time: <!--#echo var="DATE_LOCAL" --><br>
URI: <!--#echo var="DOCUMENT_URI" --><br>
Include: <!--#include virtual="/includes/header.html" -->
If this page fails, the problem is almost always in the basic configuration (parsing, rights or paths). I have a small checklist ready to perform rollbacks in minutes.
Compact tips for clean SSI
Paths I set absolutely, so /includes/header.html instead of relative references, so that bindings in subfolders remain stable. I use variables sparingly and name them uniquely, for example site_env or build_date. I test changes in a staging environment and only copy live afterwards to avoid downtime. Before making any changes to the .htaccess I back up the current version so that I can go back immediately if necessary. After deployments, I clear browser and server caches so that users can use the new version without old artifacts. See.
Targeted use of extended SSI features
XSSI brings simple conditions and variable logic, but remains deliberately limited in order to keep parsing lightweight. Typical cases are different banners per directory or one hint per language version. You structure conditions with and closes it with . For computational logic, switch to PHP or build the output into your build process in advance. I avoid nested directives so that the page remains readable and the Debugging quickly.
Summary in plain text
Bottom line SSI delivers fast, maintainable pages by merging recurring content before it is sent. With just a few lines in the .htaccess activate parsing for .html and keep the structure of your project lean. You achieve security with restrictive rights and by not using #exec; protects in shared environments IncludesNOEXEC. NVMe storage, clean caching and, if required, an upstream proxy ensure speed. If I want to build modularly and do without overhead, I rely on SSI hosting, secure the webserver configuration cleanly and maintain it for years simple.
