Monthly Archives: January 2011

How do I turn off automatic directory listings in Apache?

By default, if Apache maps a request to a directory name rather than a filename (e.g. /var/htdocs/images) and there’s not an index.html file in the directory, Apache will return an HTML page listing the files in that directory. You might wish to disable this as a security measure.

Directory listings are generated by the mod_autoindex module. To disable all directory listings, you can remove the Loadmodule line for mod_autoindex and any occurrences of configuration directives that mod_autoindex implements (see the mod_autoindex documentation).

If mod_autoindex is loaded, whether a directory listing will be generated for a particular request is configured using the Options directive.

To disable directory listings for a specific directory and its subdirectories, turn off the Indexes option in that directory:

<Directory /var/htdocs/images>
  Options -Indexes

You can disable all directory listings by default:

<Directory />
  Options -Indexes

But note that a more specific <Directory> section can turn indexes back on:

<Directory /var/htdocs/images/foo>
  Options Indexes

so search your configuration files for “Indexes” to verify that directory listings aren’t re-enabled anywhere that you don’t want them.

A .htaccess file in a subdirectory can also turn on directory listings. You can prevent that by configuring AllowOverride at the server level and omitting the Options argument, e.g.:

 AllowOverride AuthConfig FileInfo

Summary: Either remove mod_autoindex completely from the configuration, or use Options and AllowOverride to disable listings in specific directories.