How to Disable Directory Listing on a Web Server

While browsing web pages, most of us expect to see only the pages offered. However sometimes we come upon what looks like a listing of files that we might see in Windows Explorer as opposed to a web page. This is called a directory listing. It is sometimes used to offer files easily on the internet, but if unintended, it can allow an attacker to gain valuable information about your site.

Directory Listings and Why You Might Want to Remove Them

Directory listings can happen in two ways. First, an attacker could view all files in a given web directory. This allows them to see files which might not be linked anywhere on your site, including files which may include sensitive information, such as backup script files (like index.php~ or index.php.bak), htaccess files, or text files with notes (password.txt!)

The other method is more dangerous. Some web servers are setup such that the web home is actually the user home, so passing in certain values in the web address can allow directory listings outside of the normally safe web folder structure. This is more dangerous since an attacker may be able to find and execute programs on your server through a web browser, potentially exploiting those programs as well.

Can Listing Directories Open Me to Attack?

Generally, this is not a security threat as it only allows the attacker to gain information. However the information gathered will help them analyze your site for weaknesses, and could lead to an intrusion down the road. In the worst case, this could allow attackers to attack your web server immediately using special URL's.

However, if one or more directories holds a secret file, such as a password or key file, the attackers may be able to steal it. Additionally, directory traversal can sometimes allow attackers to access files outside the web root directory, leading to the stealing of system files, which can aid in other, additional attacks.

How to Disable Directory Listings in Apache

If you are using the Apache web server, you can disable directory browsing. It is strongly recommend that you follow these steps unless you actually do want to show directories to your users. In that case, it is best to enable the following on all other directories, and make exceptions for the directories you want to show.

  • Navigate to your Apache config file (httpd.conf)
  • Open the config file using a text editor like vi (vi httpd.conf)
  • Search for the directory section of the file where your website resides, and the Options keyword beneath that. It should look something like:
    <Directory /home/mywebuser/public_html>
    	Options Indexes 
  • Update the option 'Indexes' from the above, so the line would read instead:
    Options -Indexes


If your config file looks different, that's ok. The only important piece is to make sure that indexes has a minus sign or the only word after options is None. In fact, if you don't need any options, it is best to set it to None in the first place.

If you don't have access to the main Apache configuration, you can do the same thing in each folder of your server by including the same line in your .htaccess files in each subdirectory. This will effectively accomplish the same thing, but be careful to also bar viewing of htaccess files.

Additional Resources

Find Insecure Settings on your Webserver

Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including application server setup. See how the Golem Scan can help your business today.