Disable Directory Listing on apache2

As some of you may (or may not) know, by default apache2 allows something called “Directory Listing”. Essentially what this means is that when you visit your web server, if you browse to a directory within your www folder that does not contain an index page (index.php, index.htm, index.html, etc.), apache2 will actually spit out (or list) the entire contents of that folder. This should be a concern for anyone running a production server, and unless there is a specific need for directory listing its always a good idea to disable it. There is tonnes of different opinions on whether or not its a security issue to leave it enabled, and to this I have to say to each their own. Personally I feel it is a security risk, but at best disabling it is simply security by obscurity.

Depending on your hosting environment, there are a couple ways to disable directory listing.

Disable via .htaccess

While not my favorite method, you can disable directory listing through your .htaccess file if your web host allows server overrides. This is simple enough, simply add this to your .htaccess:

 Disable via server configuration

This is my preferred method because its system wide, which comes in handy if you have multiple vhosts, however for this you need access to the server configuration files. I always run Debian for my setups, but this also applies if you are using a Windows machine to host your apache2 server as well (location of the config files will obviously vary). If you arent sure whether you have access or not, then chances are you do not. Rarely do shared hosting plans allow access to this sort of stuff, and if you are running your own server or VPS then generally you would know you have access either physically, through SSH, or even RDP.

The specific file we are after is apache2.conf or httpd.conf depending on your version of apache2.

On Debian, this file (by default) is usually located at /etc/apache2/apache2.conf. On Windows, if you are using WAMPServer then it should be located at C:\wamp\bin\apache\apache2\conf\httpd.conf. You may need to do some searching to find the specific file, but rest assured, if you are using apache2 then it does exist somewhere.

Once in the conf file, look for the line that looks something like this:

The specific option in that line we want to disable is “Indexes“, so simply remove that from the line completely and reload apache2 – (Debian – sudo service apache2 reload, Windows (WAMP) – Click Wamp Icon > Restart All Services).

And there you have it, no more worrying about people snooping through your directory listings.

Leave a Reply