Apache (Server Side Includes)

Apache Server Side Includes (SSI) is a declarative directive language embedded within HTML comments that enables web servers to assemble dynamic content at serve time. Originating in Rob McCool’s NCSA HTTPd server in 1993, SSI was one of the earliest mechanisms for adding dynamic behavior to static web pages. Through Apache’s mod_include module, SSI became one of the first widely deployed server-side templating systems, establishing the fundamental paradigm of embedding processing directives within HTML markup that would later be adopted by PHP, ASP, and JSP.

History & Origins

NCSA HTTPd and the Birth of SSI

Server Side Includes were created by Rob McCool at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign. McCool developed NCSA HTTPd, one of the first web servers, announcing version 0.3 on April 22, 1993. SSI emerged as a practical solution to a fundamental problem of early web development: static HTML pages required complete duplication of common elements like headers, footers, and navigation across every page on a site.

NCSA HTTPd 1.1, released in January 1994, contained a primitive form of SSI support. The landmark release was NCSA HTTPd 1.2 in April 1994, which introduced the modern SSI syntax — directives embedded as HTML comments beginning with <!--#. This version added http_include.c to the codebase and included a conversion tool (inc2shtml.c) for migrating from the earlier syntax.

McCool also led the creation of the Common Gateway Interface (CGI) specification during this same period, giving the early web its two foundational mechanisms for dynamic content. He left NCSA in mid-1994 to join Netscape Communications, and development of NCSA HTTPd stalled.

The Apache Era

After NCSA HTTPd development ceased, a group of webmasters who had been maintaining independent patches coordinated through a mailing list in February 1995 to consolidate their work. This group — including Brian Behlendorf, Roy T. Fielding, Rob Hartill, David Robinson, Cliff Skolnick, Randy Terbush, Robert S. Thau, and Andrew Wilson — became the Apache Group.

Apache 0.6.2, the first public release, appeared in April 1995. Robert S. Thau then designed a new modular server architecture (code-named “Shambhala”) with an API, pool-based memory allocation, and a module system. Apache 1.0 was released on December 1, 1995, with SSI support provided through the mod_include module — the direct descendant of NCSA HTTPd’s http_include.c.

Extended SSI (XSSI)

A significant enhancement came from Howard Fear, who developed eXtended Server Side Includes (XSSI). Fear’s work added flow control directives (#if, #elif, #else, #endif), the #set directive for variable assignment, and #printenv for debugging. XSSI was initially available as a separate add-on module for Apache 1.0.x and was integrated into the standard Apache distribution with the release of Apache 1.2 on June 5, 1997.

The XSSI documentation explicitly described its intended audience as “casual web developers” creating departmental or personal pages — SSI was deliberately not a CGI replacement but a simpler tool for a different audience.

Design Philosophy

SSI follows a strictly declarative paradigm. Directives specify what should appear in the output — include this file, display this variable, show this block if a condition is true — rather than describing how to compute results procedurally. There are no loops, functions, complex data structures, or general-purpose computation.

Key design principles include:

• Embedded in markup: Directives live within the HTML document itself, maintaining the document-centric nature of web content
• Graceful degradation: Using the HTML comment syntax (<!--# -->) means that if SSI processing fails or is disabled, directives are hidden as comments rather than appearing as broken content in the browser
• Minimal complexity: SSI deliberately avoids becoming a full programming language, keeping the barrier to entry low
• Zero dependencies: SSI requires no additional software, libraries, or runtimes beyond the web server itself

Key Features

Core Directives

SSI provides a focused set of directives for content assembly:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

<!-- Include content from another file -->
<!--#include virtual="/includes/header.html" -->

<!-- Display a variable value -->
<!--#echo var="DATE_LOCAL" -->

<!-- Set a custom variable -->
<!--#set var="section" value="about" -->

<!-- Configure output formatting -->
<!--#config timefmt="%B %d, %Y" -->
<!--#config sizefmt="abbrev" -->

<!-- Display file information -->
<!--#fsize file="document.pdf" -->
<!--#flastmod virtual="/news/latest.html" -->

The #include directive is the foundation of SSI, accepting either a file attribute (relative path) or virtual attribute (server-relative URL path). Included files can themselves contain SSI directives, which are processed recursively.

Flow Control

The XSSI extensions added conditional logic:

1
2
3
4
5
6
7

<!--#if expr="$section = 'about'" -->
  <li class="active">About</li>
<!--#elif expr="$section = 'contact'" -->
  <li class="active">Contact</li>
<!--#else -->
  <li>Default</li>
<!--#endif -->

Apache 2.4 introduced a more powerful expression syntax using ap_expr, supporting regular expressions, string comparisons, and boolean operators:

1
2
3

<!--#if expr="%{REQUEST_URI} =~ m|^/blog/|" -->
  <!--#include virtual="/includes/blog-sidebar.html" -->
<!--#endif -->

Command Execution

The #exec directive can execute external commands, though this is typically restricted for security:

1
2
3
4
5

<!-- Execute a shell command -->
<!--#exec cmd="date" -->

<!-- Execute a CGI script -->
<!--#exec cgi="/cgi-bin/counter.cgi" -->

Built-in Variables

SSI provides access to a set of built-in variables including DATE_LOCAL, DATE_GMT, DOCUMENT_NAME, DOCUMENT_URI, LAST_MODIFIED, and QUERY_STRING_UNESCAPED, along with all standard CGI environment variables such as SERVER_NAME, REMOTE_ADDR, and HTTP_USER_AGENT.

File Extensions and Configuration

The conventional file extension for SSI-enabled pages is .shtml (Server-parsed HTML), configured via Apache’s AddOutputFilter directive. The XBitHack directive offers an alternative: when set to on or full, any .html file with the user-execute permission bit set is processed for SSI directives, avoiding the need for a separate file extension.

How SSI Processing Works

1. File identification: Apache identifies files requiring SSI processing based on file extension (.shtml), MIME type, or the XBitHack setting
2. Parsing: The INCLUDES output filter scans the document for SSI directives embedded as HTML comments
3. Execution: Each directive is processed in order — includes are resolved, variables are substituted, conditionals are evaluated
4. Output: The assembled content, with all directives replaced by their output, is sent to the client as standard HTML

Performance Considerations

Apache’s official documentation notes that SSI adds parsing overhead since every enabled file must be scanned for directives before serving. SSI-processed pages do not send Last-Modified or Content-Length headers by default, which prevents browser and proxy caching. The XBitHack full setting and the SSILastModified/SSIETag directives (Apache 2.2+) partially address this limitation. The Apache documentation recommends SSI for adding “small pieces of information” to otherwise static pages, noting that if the majority of a page is dynamically generated, a different solution should be used.

Evolution Through Apache Versions

Apache 2.0 (2002)

The mod_include module was rewritten to function as an output filter within Apache 2.0’s new filtering architecture. This allowed SSI to process the output of CGI scripts and other dynamic content sources. New configuration directives were added: SSIStartTag and SSIEndTag for customizing delimiter syntax, SSIErrorMsg for custom error messages, SSITimeFormat for date formatting, and SSIUndefinedEcho for controlling undefined variable display.

Apache 2.2 (2005)

Added SSIETag and SSILastModified directives, giving administrators finer control over HTTP caching headers for SSI-processed pages.

Apache 2.4 (2012)

Introduced the ap_expr expression parser for #if conditionals, supporting a richer syntax with regular expressions and complex boolean logic. The SSILegacyExprParser directive was provided for backward compatibility. Later 2.4.x releases added the DOCUMENT_ARGS variable (2.4.19+) and #comment syntax (2.4.21+).

Influence and Legacy

SSI established the foundational concept of embedding server-processed directives within HTML documents. This pattern was adopted and extended by the server-side scripting technologies that followed:

• PHP (1995): Rasmus Lerdorf’s early PHP used HTML comment-style delimiters similar to SSI before evolving to <?php ?> tags. Lerdorf is listed as an Apache contributor.
• ASP (1996): Microsoft’s Active Server Pages embedded VBScript/JScript within HTML using <% %> delimiters
• JSP (1999): Java Server Pages followed the same embed-code-in-HTML model

Edge Side Includes (ESI), specified in 2001 by Akamai, Oracle, and others, is a conceptual successor that moved content assembly from the origin server to CDN edge servers. ESI uses XML-based markup and provides similar content inclusion and conditional logic, designed specifically for caching proxy environments.

Other web servers adopted SSI support independently, including Microsoft IIS (reportedly from 1996 with IIS 3.0), lighttpd (2003), and nginx (2004).

Current Relevance

SSI remains a standard, bundled module in Apache HTTP Server 2.4.x. The mod_include module is actively maintained — it is documented in both the 2.4 and trunk (2.5) documentation, and security fixes continue to be applied. SSI’s usage has declined significantly since the early 2000s as server-side frameworks, content management systems, and static site generators have become prevalent. However, SSI persists in several niches:

• Legacy systems: Academic and government websites originally built with SSI continue to operate
• Simple static sites: For sites needing only basic includes without a full framework, SSI remains a zero-dependency option
• Embedded and resource-constrained environments: SSI’s minimal requirements suit systems where full scripting runtimes are impractical

Why It Matters

Server Side Includes represents a pivotal moment in web history. Created when the World Wide Web was barely two years old, SSI was among the first practical solutions to the problem of content reuse across web pages. Its approach — embedding declarative directives within HTML comments that are processed server-side before delivery — established a paradigm that influenced every subsequent server-side templating technology.

SSI also demonstrates the enduring value of simplicity in software design. While it was quickly surpassed in capability by PHP and other scripting languages, its focused feature set and minimal complexity meant it could serve its purpose reliably across three decades of web evolution. The fact that mod_include remains a maintained, documented module in Apache HTTP Server more than thirty years after its creation speaks to both the durability of its design and the web’s long memory for backward compatibility.