Directory Listing
Directory listing is a web server feature that, when enabled, shows the contents of directories that do not have an index file. Instead of getting a 403 or 404, visitors see a clickable list of all files and folders. This exposes backup files, configuration files, and internal directory structure.
What SecurityStatus Checks
- Whether directory listing is enabled on common paths (/images, /uploads, /backup, /assets)
- Whether directory listing is enabled on the web root
- Detection of sensitive file patterns in exposed directory listings
Why This Matters
Attackers use directory listing to find backup files, database dumps, old configuration files, and source code that should never be public. A directory listing of /backup/ exposing database.sql.gz is a catastrophic data breach waiting to happen.
How to Fix It
- 1
Disable directory listing in nginx
Ensure `autoindex off` is set in your nginx server block (it is off by default). Check if any location blocks have `autoindex on` and remove them.
- 2
Disable directory listing in Apache
In Apache, remove `Options Indexes` from your configuration and replace with `Options -Indexes`. Add `Options -Indexes` to your .htaccess file as well.
- 3
Add index files to directories
As a belt-and-braces measure, add an empty index.html file to any directory that should not show a listing. This causes the web server to serve the blank file instead of a directory listing.
- 4
Move sensitive files outside the web root
Files like backups, logs, and configuration should be stored outside the public web directory entirely, not just in a directory with listing disabled.
Frequently Asked Questions
Is directory listing always a problem?
How do I tell if directory listing is on?
Related Guides
Check Your Domain Now
Run all 38 security checks including Directory Listing and get your domain's security grade in under 2 minutes.
Scan Your Domain Free