How to Prevent a Directory Listing of Your Website with .htaccess

Block a Directory Index from Being Shown


How to Prevent a Directory Listing of Your Website with .htaccess

by Christopher Heng, thesitewizard.com

If you create a new directory (or folder) on your website, and do not put an "index.html" file in it, you may be surprised to find that your visitors can get a directory listing of all the files in that folder. For example, if you create a folder called "incoming", you can see everything in that directory simply by typing "http://www.example.com/incoming/" in your browser. No password or anything is needed.

This article shows you how you can configure your web server so that it does not show a directory listing by default.

Prerequisites

Both the above conditions must be true, or you won't be able to successfully do the things mentioned in this guide.

Is Protecting Your Directory Listing From View a Security Measure?

Protecting your directories from being listed by your website's visitors does not, in and of itself, make your website more secure. At best, it's security by obscurity — that is, you hope that by hiding stuff from view, nefarious visitors up to no good will not be able to get access to those things. It's the web equivalent of hiding your life savings under your mattress.

However, while you should of course implement other measures for securing your site, it's still good practice not to allow your directories to be listed by default. That way, at least, you don't make it too easy for others to survey your site for vulnerabilities. This is especially so if you have third-party scripts on your site (such as, for example, you run a blog).

It's important to realise this, so that you don't rely on this method alone for security.

Steps to Preventing a Directory Listing

  1. Get Your Existing .htaccess File, If Any

    Connect to your website using an FTP or SFTP software. Go to the top web directory of your site, where you place your home page, and look for a file called ".htaccess". If it exists, download it to your computer.

    If it does not exist, make sure that it is not hidden from your view. This has to be done from within your FTP program itself. Depending on which program you use, you may need to log off, set a "Remote file mask" of "-a" (without the quotation marks) in the options for the program, and log in again to check.

    (The "remote file mask" is the term used in the FTP client that I use. Your program may use a different term.)

    Another way to do this is to log into your site from your web host's control panel. Most, if not all, commercial web hosts provide a way for you to view your web directories from your web browser, as well as upload and download files from them. If your web host has an option to "show hidden files" or some such thing, make sure you enable it. From your host's web interface, you should be able to locate and download your existing .htaccess file.

    Don't worry if, after all your efforts, you can't find any .htaccess file in the main web directory. It's quite normal for a website not to have one. You'll just have to create a blank one later. However, if one exists, it's important that you get it, so that we can add to the settings in the file instead of overwriting them.

  2. Make a Backup of the .htaccess File

    If you managed to find and download the .htaccess file from your site, save a backup copy on your own computer. That is, make sure you have 2 copies of the .htaccess file on your computer, the one you are about to modify, and a pristine copy of the original. The backup is useful in case you accidentally make an error later.

  3. Create or Open the .htaccess File

    If you've managed to get the .htaccess file, open it in an ASCII text editor (like Notepad). If one does not exist, use the editor to create a new blank document. The rest of this article will assume that you have already started the editor with the .htaccess open or with a blank document if no .htaccess file previously existed.

    WARNING: do not use a wordprocessor like Word, Office, or WordPad to create or edit your .htaccess file. You should also not use a WYSIWYG (What-You-See-Is-What-You-Get) web editor for this purpose. If you do, your site will mysteriously fail to work when you upload the file to your web server. This is very important. There are no exceptions.

  4. Disable Indexing

    Add the following line to your .htaccess file.

    Options -Indexes

    Make sure you hit the ENTER key (or RETURN key if you use a Mac) after entering the "Options -Indexes" words so that the file ends with a blank line.

  5. Saving and Uploading the File

    Once you're done with disabling the directory listing in the .htaccess file, save the file. If your file is a new one, and you're using Notepad, make sure you save it as ".htaccess", quotes and all. If you don't add the quotes, Notepad will add a .txt extension to your filename without telling you. Also, make sure the filename itself is exactly .htaccess, that is, the name starts with a full stop ("period" if you use US English), and is entirely in small letters (lowercase). No other name is acceptable.

    Then upload the file to your web server using an FTP/SFTP program (or with your web host's control panel). If you did not use an FTP program in the earlier step (for example, you used your web host's control panel instead), and don't know how to do so, check out my tutorial on How to Upload a File to Your Website Using the FileZilla FTP Client.

  6. Test Your Site

    Whenever you modify your .htaccess file, you should always check that your website still works after uploading it. I'm not kidding here. The .htaccess controls everything the server does with your site. A slight error can render your entire website unusable. So when I say test your website, you should test not only that a directory without "index.html" can no longer be listed, but also check your main page and a few other pages to make sure that they still load.

    If anything goes wrong, delete the .htaccess file on your website and your site should work again. For those who had an existing .htaccess on the site before, upload the backup copy to the site.

Conclusion

If all goes well, you should get a "Forbidden" error when you try to access a directory that doesn't have an index file.

This article can be found at http://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml

Copyright © 2008-2012 by Christopher Heng. All rights reserved.
Get more free tips and articles like this, on web design, promotion, revenue and scripting, from http://www.thesitewizard.com/.

thesitewizard™ News Feed (RSS Site Feed)  Subscribe to thesitewizard.com newsfeed

Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at http://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.

Please Do Not Reprint This Article

This article is copyrighted. Please do not reproduce this article in whole or part, in any form, without obtaining my written permission.

Related Articles

New Articles

Popular Articles

How to Link to This Page

It will appear on your page as:

How to Prevent a Directory Listing of Your Website with .htaccess





Home
Donate
Contact Us
Link to Us
Topics
Site Map

Getting Started
Web Design
Search Engines
Revenue Making
Domains
Web Hosting
Blogging
JavaScripts
PHP
Perl / CGI
HTML
CSS
.htaccess / Apache
Newsletters
General
Seasonal
Reviews
FAQs
Wizards

 

 
Free webmasters and programmers resources, scripts and tutorials
 
HowtoHaven.com: Free How-To Guides
 
Site Design Tips at thesitewizard.com
Find this site useful?
Please link to us.