Why should you disable directory listing?
Sometimes, when you visit a website and see a list of files or directories in its hosted space, this can specifically happen with the websites without a proper index file in place and the directory listing is enabled for that location. This is considered as a vulnerability as it gives an opportunity for the third person to view the hosted contents and optionally download them from that location. It can also license the visitor to understand website structure like the plugins, themes etc used with it. With the website background information in hand, it will be much easier for a skilled hacker to sneakin to the webspace or the filesystem by utilizing vulnerabilities persisting with those components.
With these facts in mind, it is considered as a #1 good practice to disable directory listing for your website. There are a few methods available to disable directory listing based on the type of web server used in your server. We will discuss about the best practices to disable directory listing for most popular web servers like Apache, Nginx and IIS.
#1 Apache
The handy method to disable directory listing in an Apache hosted website is by using a .htaccess file in that specific website location. Consider the case, directory listing is enabled for your website http://mydomain.com/MyData/, here you need to create the .htaccess file inside the MyData directory inside your website document root. Connect with FTP or a Linux shell and create the .htaccess file with the below content to disable directory listing in that specific location.
Tips:
a.) If you still see the directory listing or any errors for the URL, verify in Apache errors logs if it throws any permission errors, Ideally the .htaccess should be created with the owner and group permissions of the webuser with 644 access rights.
b.) Apache will not process .htaccess file if it is not configured to read .htaccess from that specific location. You can create a location tag as shown below in Apache configuration file (httpd.conf) and reload Apache.
<Directory "/home/complete/path/to/the/directory/ "> AllowOverride All </Directory>
c) If you want to enable directory listing, change the Options -Indexes to Options +Indexes
#2 Nginx
Every incoming HTTP requests coming to an Nginx web server will be handled by the http module precompiled with the Nginx web server. If the http module fail to find an index file or if the URL does not include a specific file to parse, the request will be passed to the ngx_http_autoindex_module. This module is responsible to process URLs with a / termination (without any specific file type in url) to cause a directory listing. It is just required to disable this auto indexing feature for that specific location to get the directory listing disabled there. You can edit the nginx.conf with the below entries in your website configuration.
server {
listen 80;
server_name yourdomain.com <a href="http://www.yourdomain.com;">www.yourdomain.com;</a> root /path/to/document/root;
location / {
index index.php index.html;
}
location /path/disable/dir_listing {
autoindex off;
}
}
#3 IIS
Open IIS with escalated privileges or as administratorNavigate to the website and click on it to get home options for that website.Locate the “Directory Browsing” option and access it.
Click on “Disable” from right side options panel.
