How to Prevent a Directory Listing of Your Website with .htaccess

If you create a new directory (or folder) on your website, and do not put an "index.html" file in it, you may be surprised to find that your visitors can get a directory listing of all the files in that folder. For example, if you create a folder called "mydirectory", you can see everything in that directory simply by typing "http://www.example.com/mydirectory/" in your browser. No password or anything is needed.

This article shows you how you can configure your web server so that it does not show a directory listing by default.

Prerequisites

  • Your Website Must Be on an Apache Web Server
  • Your Web Host Must Have Enabled .htaccess Server Overrides

Is Protecting Your Directory Listing From View a Security Measure?

Protecting your directories from being listed by your website's visitors does not, in and of itself, make your website more secure. At best, it's security by obscurity. That is, you hope that by hiding stuff from view, nefarious visitors up to no good will not be able to easily list all your files with a single request. It doesn't stop them from directly accessing those files by name. It's important to realise this, so that you don't rely on this method alone for security.

Disable Indexing

Add the following line to your .htaccess file.

Options -Indexes

That's it!

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Password protecting a directory on the web server

Password protecting a web directory can be a useful way to manage web content on a...

Common Regex used for Redirect Rules and SSL

Links to Popular Tools and References: Regex PalRegex Syntax Breakdown So what about the ^ and...