Jesin's Blog

Welcome to the Portal of Technology

  • Facebook
  • GitHub
  • RSS
  • Twitter
  • Home
  • Categories
    • Domains
    • Linux
    • Networking
    • PHP
    • Virtualization
    • Web Design
    • Web Servers
    • Windows
  • WordPress Plugins
    • Custom Error Pages
    • HTTP Digest Authentication
    • Mailgun Email Validator
  • Toolbox
    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool
  • About Me
  • Contact Me
  • Sitemap
Home ›
Web Servers ›
Disable Directory Listing in Apache

Disable Directory Listing in Apache

August 22, 2010 Web Servers Jesin A 2 Comments

disable directory listing apache thumbnail

Securing your web server is very important than the security of other computers on the network, because you can make other computers invisible on the internet using the “stealth mode” feature available on many firewalls. But the same cannot be done on the web server as it is meant for the complete public access. And the “public” might include beginner level users trying to curiously explore every nook and corner of you website and advanced hackers intentionally trying to find vulnerabilities on your website. And directory listing can be a boon for such people to start looking for juicy information.

apache directory listing
Leaving your directory listing as it is can open up several vulnerabilities in your website

Picture this. You have a web server on which the website example.com is hosted. It contains a directory named images which contains all the graphics and picture of your website example.com. Now you might think of uploading your personal photos inside this folder thinking that since there is not a single hyperlink on your website linking to these images no one will find them. But if a curious user types http://example.com/images he/she will be presented with a list of all the images within the directory. Worse than this imagine what would happen if search engines crawl and index that directory listing!

That is why its a good practice to disable directory listing on your web server. It also looks less professional for a user if he/she sees a plain directory listing after seeing a beautiful website.

Warning:- While disabling directory listing protects your files to a certain extent, files can still be accessed by keying in the file name directly e.g. http://example.com/images/personal.jpg. If a particular file is very personal or confidential never ever store it inside your document root (htdocs, www or public_html folders). If you have no other option then store them in a separate directory and password protect it.

Method 1:- Edit the httpd.conf/httpd-vhosts.conf file

In case you are using a dedicated server/vps its best to edit the httpd.conf file as it will benefit all the websites hosted on that server. Open the httpd.conf file using a text editor find the line that starts with <Directory It looks similar to the following

<Directory "C:/AMP/Apache Software Foundation/Apache2.2/htdocs">
Options Indexes FollowSymLinks Includes
AllowOverride All
Order allow,deny
Allow from all
</Directory>

Change line 2 to reflect the following

Options -Indexes FollowSymLinks Includes

Note the minus symbol in front of Indexes. Servers hosting more that one domain using Apache’s Virtual Hosting will have no effect because you need to edit the httpd-vhosts.conf file. Edit the line in this file starting with Options and add the minus symbol.

Restart the Apache service and you’re good to go.

Method 2:- Create/Edit the .htaccess file

Hosting your website on a shared server? Don’t want to edit httpd.conf file? Then lets do it the htaccess way. Create a file named .htaccess (there should be a dot at the beginning of the file name) inside the htdocs or www or public_html folder, if it exists the edit it and add the following line

Options -Indexes

Save the file.

Testing the New Configuration

Its time to check the result of your hard work. So fire up your web browser and type http://example.com/images if everything was done correctly you should see a message similar to the following

apache directory listing disabled
The server denies you permission from viewing the list of files in the directory

Instead if you get a 500 Internal server error then check the syntax of the htaccess file. If your server refuses to start check the syntax of the httpd.conf file.

Wait its not over yet, what if you want to ENABLE directory listing for a folder named everyone (http://example.com/everyone) Its simple just create a .htaccess file inside the everyone folder and add

Options -Indexes

That is all!!! You can now see the directory listing of only /everyone while a 403 error is shown for other directories

Related posts:

Default ThumbnailChange the default Directory Index in Apache Server Default ThumbnailUsing the Apache Redirect directive Default ThumbnailHow to create custom error page in Apache Default ThumbnailRunning PHP code in HTML files php category thumbnailHow to use custom php.ini files on shared hosting

Tags: apache, directory listing, htaccess

Comments

  1. Jaromy says

    January 23, 2016 at 2:18 am

    Jesin – I am loving your blog. All of your tutorials are easy to understand, thorough, and accurate. This helped me figure out why I was getting a 500 internal server error when instead I should have been seeing a 403 (forbidden) error. Thanks!

    Reply
    • Jesin A says

      January 23, 2016 at 2:26 am

      Thanks Jaromy, I’m so glad you’re finding my blog helpful 🙂

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get a wealth of information delivered to your inbox. Subscribe and never miss a single article.

  • Tutorials and howtos
  • Code, scripts and commands
  • Online Tools

* No spam, unsubscribe anytime

Hire Me

  • SSL installation and hardening (A+ on Qualys SSL test)
  • Apache & Nginx configuration
  • Email deliverability improvement (10/10 on Mail Tester & MailGenius)
  • WordPress customization, optimization and migration
  • and much more…

    Tools

    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool

    Nav

    • Home
    • About Me
    • Contact Me
    • Privacy Policy
    • Sitemap
    Vultr SSD VPS

    Creative Commons License
    Jesin's Blog by Jesin A is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
    Based on a work at websistent.com.