If you create a new directory (or folder) on your website, and do not put an "index.html" file in it, you may be surprised to find that your visitors can get a directory listing of all the files in that folder. For example, if you create a folder called "mydirectory", you can see everything in that directory simply by typing "http://www.example.com/mydirectory/" in your browser. No password or anything is needed.
This article shows you how you can configure your web server so that it does not show a directory listing by default.
- Your Website Must Be on an Apache Web Server
- Your Web Host Must Have Enabled .htaccess Server Overrides
Is Protecting Your Directory Listing From View a Security Measure?
Protecting your directories from being listed by your website's visitors does not, in and of itself, make your website more secure. At best, it's security by obscurity. That is, you hope that by hiding stuff from view, nefarious visitors up to no good will not be able to easily list all your files with a single request. It doesn't stop them from directly accessing those files by name. It's important to realise this, so that you don't rely on this method alone for security.
Add the following line to your .htaccess file.