When a user requests a standard .html page, the web server simply delivers the file to the browser. However, when an .shtml file is requested, the web server parses the document first. It looks for specific directives formatted like HTML comments: Use code with caution.
Deploy a WAF to detect and block common payloads associated with SSI injection and directory traversal (such as .. or view shtml patched