Disable Directory Listing in Apache

Securing your web server is very important than the security of other computers on the network, because you can make other computers invisible on the internet using the “stealth mode” feature available on many firewalls. But the same cannot be done on the web server as it is meant for the complete public access. And the “public” might include beginner level users trying to curiously explore every nook and corner of you website and advanced hackers intentionally trying to find vulnerabilities on your website. And directory listing can be a boon for such people to start looking for juicy information.

Picture this. You have a web server on which the website example.com is hosted. It contains a directory named images which contains all the graphics and picture of your website example.com. Now you might think of uploading your personal photos inside this folder thinking that since there is not a single hyperlink on your website linking to these images no one will find them. But if a curious user types http://example.com/images he/she will be presented with a list of all the images within the directory. Worse than this imagine what would happen if search engines crawl and index that directory listing!

That is why its a good practice to disable directory listing on your web server. It also looks less professional for a user if he/she sees a plain directory listing after seeing a beautiful website.

Warning:- While disabling directory listing protects your files to a certain extent, files can still be accessed by keying in the file name directly e.g. http://example.com/images/personal.jpg. If a particular file is very personal or confidential never ever store it inside your document root (htdocs, www or public_html folders). If you have no other option then store them in a separate directory and password protect it.

Method 1:- Edit the httpd.conf/httpd-vhosts.conf file

In case you are using a dedicated server/vps its best to edit the httpd.conf file as it will benefit all the websites hosted on that server. Open the httpd.conf file using a text editor find the line that starts with <Directory It looks similar to the following

<Directory "C:/AMP/Apache Software Foundation/Apache2.2/htdocs">
Options Indexes FollowSymLinks Includes
AllowOverride All
Order allow,deny
Allow from all
</Directory>

Change line 2 to reflect the following

Options -Indexes FollowSymLinks Includes

Note the minus symbol in front of Indexes. Servers hosting more that one domain using Apache’s Virtual Hosting will have no effect because you need to edit the httpd-vhosts.conf file. Edit the line in this file starting with Options and add the minus symbol.

Restart the Apache service and you’re good to go.

Method 2:- Create/Edit the .htaccess file

Hosting your website on a shared server? Don’t want to edit httpd.conf file? Then lets do it the htaccess way. Create a file named .htaccess (there should be a dot at the beginning of the file name) inside the htdocs or www or public_html folder, if it exists the edit it and add the following line

Options -Indexes

Save the file.

Testing the New Configuration

Its time to check the result of your hard work. So fire up your web browser and type http://example.com/images if everything was done correctly you should see a message similar to the following

Instead if you get a 500 Internal server error then check the syntax of the htaccess file. If your server refuses to start check the syntax of the httpd.conf file.

Wait its not over yet, what if you want to ENABLE directory listing for a folder named everyone (http://example.com/everyone) Its simple just create a .htaccess file inside the everyone folder and add

Options -Indexes

That is all!!! You can now see the directory listing of only /everyone while a 403 error is shown for other directories