Including .inc or .asp files securely

When you are including files in ASP, some books teach you to use .INC extensions. However, for security reasons, you should always end your filenames in .ASP.

Let’s say you are including a datastore file that contains all of your database connection information. If you name that file datastore.inc and someone manages to browse and find it, they can now see your entire database connectivity information!

If you instead name that file .asp, your IIS server will pre-process the file and not show any information to the end user.

It’s also just good in general to keep your ASP files named ASP for long term maintenance. That way when you’re scanning directories you can see at a glance which ones are involved in the ASP code.

There are many other reasons to keep your asp include files with an ASP extension. You can actually include other ASP scripts so that your headers, footers, ads, etc. are all dynamic.

ASP Basic Concepts