Apache Tips & Tricks: Disable directory indexes

Applies: apache 1.3.x / apache 2.0.x
Required apache module: core/mod_autoindex
Scope: global server configuration, virtual host, directory, .htaccess
Type: security

Description: How to disable directory indexes.
Useful: to prevent the server from showing a listing of the existing files in case there is no index (as defined by DirectoryIndex) in one folder. In my opinion if you need this enabled then you should enable it only on some particular directory where you need it and_ disable it server wide_. Also it might be useful that in the places you have it enabled to hide any files that need to be private as shown in my previous tip: “Hide a file type from directory indexes”.

Options - Indexes

The Options directive is the place where you can enable or disable the index generation. This is set by default to ALL (meaning that it will turn ON also Indexes), but normally you will see this overwritten by each distribution either globally or inside the default vhost definition.

As I said previously my approach is to start by disabling directory indexes globally. This is done in the main server config, by adding the Options directive (or only adding to it the -Indexes part in case you have other global options defined):

Options -Indexes

Now as long as you will not overwrite this inside any directory or vhost it will disable the generation of directory indexes. Your root directory may look like this for example:

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

the important thing is to not include the addition of Indexes. As long as you have AllowOverride None it will prevent any accidental changes done in .htaccess files.

If you want to enable indexes generation on some particular directory or vhost just add the Indexes option:

<Directory /www/somefolder>
    Options Indexes FollowSymLinks
    AllowOverride None
</Directory>

and this will enable only in that folder the generation of indexes. In this case, you might want to prevent the listing of some file types as seen in my previous post: “Hide a file type from directory indexes”.

Go to:
Main page of all my Apache Tips & Tricks

comments powered by Disqus