disable apache directory listing

How to Disable Directory Listing in Apache

Apache directory listing is enabled, by default, allowing anyone to easily discover & access all the files & folders on a web server. This can cause security problems for your website. Here’s how to disable Apache directory listing for your web server so nobody can see your website’s folder structure.

How to Disable Directory Listing in Apache

Let’s look at how to disable directory browsing. Let’s say you have a website directory (e.g /files) in your Apache server (e.g /var/www/html/files) but don’t have an index.html file in it. When a user accesses this folder (e.g http://www.example.com/files), Apache will display all files & subfolders in /product, including parent folders. Here’s an example.

disable apache directory listing

So any user can easily find out your website’s entire structure without any permission, by simply visiting http://www.example.com/files and exploit it to their advantage. Here’s how to disable Apache directory listing. There are 2 ways to disable listing the directory content in apache – using Virtual Hosts and .htaccess file. We will look at both these methods. After you hide website index in Apache, you may want to use a reporting software to monitor the key metrics about your website/application such as signups, traffic, sales, revenue, etc. using dashboards & charts, to ensure everything is working well and spot issues quickly.

How to disable Apache Directory Listing using Virtual Host

If you have setup a virtual host file (e.g /etc/apache2/sites-available/website.conf), then you can simply open it with a editor

$ sudo vim /etc/apache2/sites-available/website.conf

and add the following lines in it. Make sure you mention the correct path to your website directory in <Directory> tag.

<Directory /var/www/files>
   Options -Indexes
</Directory>

In the above configuration, the Options – Indexes will disable Apache directory listing for folder /var/www/html/files. If you want to stop directory listing for a different folder, just change this folder path to something else. If you change the folder path to the website root (e.g /www/var/html) then it will disable directory listing globally for your entire website.

Bonus Read : How to Enable mod_ssl in Apache

How to disable Apache Directory Listing using .htaccess

Open Apache main configuration file

$ sudo vi /etc/apache2/apache2.conf #On Debian/Ubuntu systems
$ sudo vi /etc/httpd/conf/httpd.conf #On RHEL/CentOS systems

Look for the section AllowOverride and set it to AllowOverride All

<Directory /var/www/html/>
   Options Indexes FollowSymLinks
   AllowOverride All
</Directory>

Open your .htaccess file at /www/var/html/.htaccess. If it doesn’t exist, create a new blank file with filename .htaccess

Add the following lines in it. Make sure you mention the correct path to your website directory in <Directory> tag.

<Directory /var/www/files>
   Options -Indexes
</Directory>

In the above configuration, the Options – Indexes will disable Apache directory listing for folder /var/www/html/files. If you want to stop directory listing for a different folder, just change this folder path to something else. If you change the folder path to the website root (e.g /www/var/html) then it will disable directory listing globally for for your entire website.

Bonus read: How to Configure Apache Cache in Ubuntu

Restart Apache Web Server

In both cases, restart Apache web server to apply changes.

-------- On SystemD based systems -------- 
$ sudo systemctl restart apache2
$ sudo systemctl restart httpd

-------- On SysVInit based systems -------- 
$ sudo /etc/init.d/apache2 restart 
$ sudo /etc/init.d/httpd restart

Now, when you try accessing the folder via browser, you’ll get a “403:Access Forbidden” response. This way you can protect web directory in Apache.

403 access forbidden

By the way, if you want to create charts & dashboards to monitor your business or website, you can try Ubiq. We offer a 14-day free trial.