Apache Tips & Tricks: Hide a file type from directory indexes

Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_autoindex
Scope: global server configuration, virtual host, directory, .htaccess
Type: security

Description: How to hide some files from appearing in directory indexes.
Useful: to prevent certain files from appearing in directory indexes, in case this needs to remain enabled. This is particularly useful for non html files (or raw files not parsed by apache and returned as a html to the browser), for example: php include files, libraries (that will not have the extension php), or log files, or any other file that you might want to prevent the users to easily see in the browser.

Normally I will disable directory indexes, and this will not be needed, but in case you have to keep directory indexes ON for some reason, then it is a good idea to hide some files from showing in the directory indexes. This will not prevent peoples to download the files as long as they know (or guess) the file name/location, it will just hide the files from the index generation. Some good examples of what files to hide like this:

  • .htaccess (for obvious reasons)

  • *.bak (this can lead to download the source of some parsed web files that are saved as backup files)

  • RCS CVS *,v *,t (hide cvs related files)

  • *.inc (or whatever files extensions you might use to include in regular php files)

These are just examples and you should use this directive based on your particular need.

IndexIgnore

We will use the apache directive IndexIgnore to hide the list of files. Since this can be used in global configuration and also in virtual host configuration, per directory or in .htaccess it is useful to know that any new IndexIgnore line will actually add the files to the list of hidden files and not overwrite a previous definition. So you can choose this as you see it fit (add them all in one place in a single line, or have more ignore list defined, etc.). To achieve our sample here is how we will hide the file types from above to appear in directory indexes:

IndexIgnore .htaccess
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
IndexIgnore *.inc

Or the same thing in one single line:

IndexIgnore .htaccess .??* *~ *# HEADER* README* RCS CVS *,v *,t *.inc

Some Linux distributions will include some defaults for this directive, but in case you have directory indexes ON you should really look into this directive and add the files you don’t want the users to see in a browser in a directory index.

Go to:
Main page of all my Apache Tips & Tricks

comments powered by Disqus