By default, if Apache maps a request to a directory name rather than a filename (e.g. /var/htdocs/images) and there’s not an index.html file in the directory, Apache will return an HTML page listing the files in that directory. You might wish to disable this as a security measure.
Directory listings are generated by the mod_autoindex module. To disable all directory listings, you can remove the Loadmodule line for mod_autoindex and any occurrences of configuration directives that mod_autoindex implements (see the mod_autoindex documentation).
If mod_autoindex is loaded, whether a directory listing will be generated for a particular request is configured using the Options directive.
To disable directory listings for a specific directory and its subdirectories, turn off the Indexes option in that directory:
<Directory /var/htdocs/images> Options -Indexes </Directory>
You can disable all directory listings by default:
<Directory /> Options -Indexes </Directory>
But note that a more specific <Directory> section can turn indexes back on:
<Directory /var/htdocs/images/foo> Options Indexes </Directory>
so search your configuration files for “Indexes” to verify that directory listings aren’t re-enabled anywhere that you don’t want them.
A .htaccess file in a subdirectory can also turn on directory listings. You can prevent that by configuring AllowOverride at the server level and omitting the Options argument, e.g.:
AllowOverride AuthConfig FileInfo
Summary: Either remove mod_autoindex completely from the configuration, or use Options and AllowOverride to disable listings in specific directories.
- index.html: http://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex
- mod_autoindex: http://httpd.apache.org/docs/current/mod/mod_autoindex.html
- Options: http://httpd.apache.org/docs/current/mod/core.html#options
- AllowOverride: http://httpd.apache.org/docs/current/mod/core.html#allowoverride