Treat .shtml like .html in terms of risk — but with one twist:
If an attacker can upload an .shtml file to a server with SSI enabled, they could execute commands like <!--#exec cmd="..." -->. That’s a critical vulnerability.
To see what the server actually sent to the browser (after SSI execution), use your browser’s Developer Tools: view shtml link
On Apache, you can enable SSI for .shtml files using an .htaccess file or virtual host config: On Nginx, you’d use the ssi module with
AddType text/html .shtml
AddHandler server-parsed .shtml
Options +Includes
On Nginx, you’d use the ssi module with ssi on; inside the location block. index.shtml ). If you double-click it
With modern frameworks (React, Django, Node.js), you might think SSI is obsolete. But .shtml persists for three powerful reasons:
You downloaded an SHTML file to your computer (e.g., index.shtml). If you double-click it, it opens in your browser as file:///C:/my-site/index.shtml.
Warning: It will look broken. Local files do not have a web server. The browser cannot process <!--#include...--> directives; it only understands HTML tags. To view an SHTML link correctly on your local machine, you must spin up a local web server (Apache, Nginx, or IIS).