Disabling Directory Listing on Your Web Server – And Why It Matters

By default, some web servers allow directory listing, which means that if no default index file (such as index.html or index.php) is present, the server will display a list of all files and directories in that folder. This can expose sensitive files, scripts, and configurations, making it easier for attackers to identify vulnerabilities.

Understanding Directory Listing

Directory listing is a web server feature that, when enabled, displays the contents of a directory if no default index file (such as index.html or index.php) is present. When a request is made to such a directory, the server automatically generates and returns a list of all files and subdirectories within it. This can pose a security risk by exposing sensitive files related to a web application, potentially revealing critical information.

If attackers gain access to directory listings, they can analyze file structures, discover hidden scripts, or identify outdated components—information that could be used to launch targeted attacks, including cross-site scripting (XSS) and other exploits. To prevent information leakage, it is crucial to disable directory listing and restrict unnecessary access to server files.

Why You Should Disable Directory Listing

Leaving directory listing enabled can expose critical information, such as hidden scripts, backups, or configuration files, which could be used in cyberattacks. Disabling it adds an extra layer of security, ensuring that unauthorized users cannot easily browse and analyze your server’s structure.

What Information Can Be Exposed Through Directory Listing – And Why It’s a Risk

When directory listing is enabled, unauthorized users can gain access to sensitive files that should remain hidden. For example, if a backup copy of a configuration file (such as config.php) is stored in a directory where listing hasn’t been disabled, an attacker could discover and access it simply by navigating to:

http://www.example.com/secret/

If this file contains database credentials, API keys, or other confidential details, an attacker can extract this information, gaining unauthorized access to the database. This could lead to data breaches, unauthorized modifications, further exploits, or even complete application compromise.

Beyond direct data theft, exposed directories may also reveal outdated scripts, log files, or debugging information that can be leveraged for cross-site scripting (XSS), SQL injection, or remote code execution (RCE) attacks.

How to Mitigate This Risk

To prevent information leakage, it’s essential to:

• Disable directory listing on your web server.
• Restrict access to sensitive directories using proper file permissions.
• Avoid storing backup or configuration files in publicly accessible locations.

By taking these precautions, you can significantly reduce the attack surface and protect critical data from unauthorized access.

How to Disable Directory Listing

To prevent unauthorized access to your file structure, you can disable directory listing based on your web server:

• Apache: Modify the .htaccess file or main configuration file by adding:

Options -Indexes

• Nginx: In the server configuration file, set:

autoindex off;

• IIS (Windows Server): Disable directory browsing through the IIS Manager by navigating to Features View > Directory Browsing and selecting Disable.

How to Disable Directory Listing on Tomcat

In Apache Tomcat, directory listing is disabled by default starting from version 5.0. However, if it has been re-enabled due to configuration changes or regressions, it’s important to manually disable it to prevent unauthorized access to directory contents.

Tomcat allows you to configure directory listing at two levels:

1. Globally – Applies to all web applications running on the server.
2. Per Application – Disables directory listing for a specific website only.

Disabling Directory Listing for All Tomcat Web Applications

To disable directory listing across all Tomcat-hosted applications:

1. Locate the web.xml configuration file in the Tomcat installation directory. On Windows 10, this is typically:

C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\conf\web.xml

1. Open the web.xml file in a text editor.
2. Find the following section related to directory listings under the default servlet configuration:

<init-param>

    <param-name>listings</param-name>

    <param-value>true</param-value>

</init-param>

1. Change true to false to disable directory listing:

<init-param>

    <param-name>listings</param-name>

    <param-value>false</param-value>

</init-param>

1. Save the file and restart Tomcat for the changes to take effect.

By applying this setting, directory listings will be disabled for all web applications running on the Tomcat server, reducing the risk of information exposure and unauthorized access.

Disabling Directory Listing for a Specific Tomcat Web Application

If you need to disable directory listing for a single web application rather than for all projects on the Tomcat server, you can configure this setting at the application level by modifying the web.xml file specific to that project.

Steps to Disable Directory Listing for a Specific Web Project

1. Locate the web.xml file for the web application you want to configure. This file is typically found in:

<TOMCAT_HOME>/webapps/<your_project>/WEB-INF/web.xml

1. 
   Open the web.xml file in a text editor.
2. Add the following servlet configuration to explicitly disable directory listing for this specific project:

<servlet>

    <servlet-name>default</servlet-name>

    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>

    <init-param>

        <param-name>listings</param-name>

        <param-value>false</param-value>

    </init-param>

</servlet>

1. 
   Save the file and restart Tomcat for the changes to take effect.

By implementing this configuration, directory listing will be disabled only for the specified web application, ensuring that other projects running on the same Tomcat server remain unaffected.

Disabling Directory Listing on Nginx

In Nginx, directory listing is managed by the ngx_http_index_module, with the autoindex directive controlling whether files in a directory are displayed when no index file (such as index.html) is present. By default, directory listing is disabled, but if it has been re-enabled due to configuration changes or a regression, you can manually disable it.

Locating the Nginx Configuration File

The primary configuration file for an Nginx server is typically named nginx.conf and is commonly found in one of the following locations:

• /usr/local/nginx/conf/nginx.conf
• /etc/nginx/nginx.conf
• /usr/local/etc/nginx/nginx.conf

Disabling Directory Listing in Nginx

If directory listing has been enabled, you will see a configuration similar to:

location / {

    autoindex on;

}

To disable directory listing, modify the autoindex setting as follows:

location / {

    autoindex off;

}

After making this change, save the configuration file and restart Nginx to apply the update:

sudo systemctl restart nginx

By setting autoindex off, Nginx will no longer display directory listings, ensuring that unauthorized users cannot browse file structures and potentially access sensitive data.

Disabling Directory Listing on LiteSpeed

Like other web servers, LiteSpeed allows you to disable directory listing at both the server level and individual website level. This ensures that unauthorized users cannot browse directories without an index file, reducing the risk of exposing sensitive information.

Disabling Directory Listing at the Server Level

To disable directory listing for all websites on the LiteSpeed server, you can manually edit the configuration file or use the LiteSpeed WebAdmin Console.

Method 1: Editing the Configuration File

1. Locate and open the httpd_config.xml file. The exact location depends on your installation, but it is commonly found in:

/usr/local/lsws/conf/httpd_config.xml

1. Find the <autoIndex> setting under the <serverConfig> section. If directory listing is enabled, you’ll see:

<autoIndex>1</autoIndex>

1. Change the value from 1 to 0 to disable directory listing:

<autoIndex>0</autoIndex>

1. Save the file and restart the LiteSpeed server for the changes to take effect:

sudo systemctl restart lsws

Method 2: Using the LiteSpeed WebAdmin Console

1. Log in to the LiteSpeed WebAdmin Console.
2. Navigate to Configuration > Server > General.
3. Locate the Auto Index setting.
4. Change the value to Off.
5. Save the settings and restart LiteSpeed.

By applying this change, directory listing will be disabled across all websites hosted on the LiteSpeed server, preventing unintended exposure of files and directories.

Disabling Directory Listing on Lighttpd

In Lighttpd, directory listing is disabled by default, but if it has been enabled due to configuration changes or a regression, you can manually turn it off by modifying the dirlisting.conf file. This file controls settings for the mod_dirlisting module, which is responsible for generating directory listings.

Locating and Editing the Directory Listing Configuration

1. Open the dirlisting.conf file, typically found at:

/etc/lighttpd/conf.d/dirlisting.conf

1. Look for the following configuration:

dir-listing.activate = "enable"

1. Change “enable” to “disable” to turn off directory listing:

dir-listing.activate = "disable"

1. Save the file and restart Lighttpd for the changes to take effect:

sudo systemctl restart lighttpd

Once directory listing is disabled, users will no longer be able to view the contents of directories without an index file, reducing the risk of exposing sensitive files on the server.

Disabling Directory Listing on IIS

By default, directory listing is disabled on Microsoft IIS (Internet Information Services). However, if it has been enabled due to configuration changes or a regression, you can manually turn it off using the IIS Manager Console.

Disabling Directory Listing in IIS 7 and Later

1. Open IIS Manager
   • Press Win + R, type inetmgr, and press Enter to open IIS Manager.
2. Select the Website or Server
   • In the Connections panel on the left, expand the server node and select either:
     • The entire server (to apply the change globally).
     • A specific site (to disable directory listing for only that website).
3. Open Directory Browsing Settings
   • In the Features View, find and click on Directory Browsing.
4. Disable Directory Listing
   • In the Actions panel on the right, click Disable to turn off directory browsing.
5. Apply Changes and Restart IIS
   • Click Apply (if needed) and restart IIS to ensure the settings take effect:

iisreset

Alternative: Disabling Directory Listing via Web.config

If you prefer to modify the configuration file directly, you can disable directory listing for a specific site by adding the following setting to the Web.config file in the site’s root directory:

<configuration>

    <system.webServer>

        <directoryBrowse enabled="false"/>

    </system.webServer>

</configuration>

Result

With directory listing disabled, IIS will no longer display a file index when users access a directory without an index file (e.g., index.html). Instead, they will receive a 403 Forbidden error, improving security by preventing unauthorized access to server file structures.

Disabling Directory Listing on Apache

On an Apache web server, directory listing allows users to view the contents of a directory if no default index file (e.g., index.html or index.php) is present. To enhance security and prevent unauthorized access to files, directory listing should be disabled.

Method 1: Using .htaccess (Per-Directory Configuration)

If you want to disable directory listing for a specific application or directory, create or edit a .htaccess file in the target directory and add the following line:

Options -Indexes

This ensures that users cannot view the directory contents when an index file is missing. Instead, they will receive a 403 Forbidden error.

Method 2: Editing the Apache Configuration (httpd.conf)

To disable directory listing globally for all websites hosted on Apache, modify the main Apache configuration file (httpd.conf):

1. Open the Apache configuration file, typically located at:

/etc/apache2/apache2.conf  (Ubuntu/Debian)

/etc/httpd/conf/httpd.conf  (CentOS/RHEL)

1. 
   Locate the <Directory> section for the root directory (/var/www/html or equivalent) and ensure that Indexes is removed from the Options directive. Modify it as follows:

<Directory /var/www/html>

    Options -Indexes

    AllowOverride All

    Require all granted

</Directory>

1. 
   Save the file and restart Apache to apply the changes:

sudo systemctl restart apache2  # Ubuntu/Debian

sudo systemctl restart httpd    # CentOS/RHEL

Result

Once directory listing is disabled, users will no longer be able to browse directories without an index file. Instead, they will receive a 403 Forbidden error, ensuring sensitive files and application structures remain hidden from unauthorized access.

 

Final Thoughts on Disabling Directory Listing

Disabling directory listing is a fundamental yet often overlooked step in securing a web server. Allowing unauthorized users to browse directories can expose sensitive files, configuration details, or outdated scripts, increasing the risk of data breaches and cyberattacks. Whether you’re using Apache, Nginx, IIS, Tomcat, LiteSpeed, or Lighttpd, ensuring that directory listing is turned off helps protect server infrastructure, sensitive data, and overall web application security.

By implementing the correct settings at the server or application level, you can eliminate unnecessary exposure, reduce attack surfaces, and prevent attackers from gathering intelligence about your server environment. Security is an ongoing process, so regular security audits, proper access controls, and automated vulnerability scanning should complement these measures to ensure comprehensive protection.