How to disable directory listing in Apache
The Apache web server can display the contents of directories to users when there is no default index file (such as index.html) present. This feature is managed by the mod_autoindex module. When the directory listing is enabled, if a user accesses a directory without an index file, they will see a list of files and folders within that directory.
Common default index files include:index.html, index.htm, index.php, and welcome.html. These can be configured in DirectoryIndex directive within the Apache configuration file.
While directory listing can be useful for openly sharing files, it might inadvertently expose sensitive files or the server's directory structure. To improve security, it's recommended to disable this feature. In this guide, we'll explore three primary methods to achieve this in Apache:
Methods to disable directory listing in Apache:
For those using platforms like cPanel, there are platform-specific methods to disable Apache's directory listing.
Disable Apache directory listing by disabling autoindex module
A direct approach is to deactivate the mod_autoindex module. Note that this will affect all sites hosted on the server.
-
Launch your preferred terminal application.
-
Disable autoindex module for Apache.
$ sudo a2dismod --force autoindex # Ubuntu, Debian and SUSE Module autoindex disabled. To activate the new configuration, you need to run: systemctl restart apache2
-
Distributions with a2dismod support can simply run the command above without having to manually disable the required modules.
-
LoadModule directive for the corresponding autoindex module need to be manually disabled by removing or commenting (by adding # at the beginning) the line in the configuration file.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2dismod support yes yes no no no no Modules to uninstall none Module name n/a autoindex Loadmodule directive n/a #LoadModule autoindex_module <module_locations>/mod_autoindex.so -
-
Restart Apache for the changes to take effect.
Disable Apache directory listing via Directory's Options directive
You can specifically deny directory listings by adding -Indexes to the Options directive within Apache's configuration file.
-
Open Apache's configuration file using your preferred text editor.
$ sudo vi /etc/apache2/other/mysite.conf
The configuration could be set globally or from within VirtualHost configuration.
-
Find the Options line within the Directory blockock.
<Directory /var/www/mysite> Options Indexes FollowSymLinks </Directory>
-
Remove Indexes option or add -Indexes to Options directive.
<Directory /var/www/mysite> Options -Indexes FollowSymLinks </Directory>
Notice that it's -Indexes and not +Indexes
-
Save and exit the editor
-
Restart the Apache service to apply changes.
Disable Apache directory listing using .htaccess
If you don't have root access or prefer to control directory listing for specific directories, utilize the .htaccess file:
-
Navigate to the directory where you want to disable directory listing.
-
Open or create .htaccess file on the directory using your preferred text editor.
$ sudo vi /var/www/mysite/.htaccess
-
Add -Indexes to Options directive in the .htaccess file.
Options -Indexes
Ensure that the Apache configuration allows the use of .htaccess files by checking the AllowOverride directive is set to All or at least Options for the relevant directory.
-
Save and exit the editor.
-
Restart Apache to apply the changes.
$ sudo systemctl restart apache2