If you create a new directory (or folder) on your website, and do not put an "
index.html" file in it,
you may be surprised to find that your visitors can get a directory listing of all the files in that folder. For example,
if you create a folder called "
incoming", you can see everything in that directory simply by typing
http://www.example.com/incoming/" in your browser. No password or anything is needed.
This article shows you how you can configure your web server so that it does not show a directory listing by default.
For the method described in this article to work, your site should be hosted on an Apache web server. This probably constitutes the majority of websites on the Internet, so it is likely that you satisfy this requirement. In general, if your web server (the computer that your site is running on) is using Linux or FreeBSD, chances are that it's on an Apache server. If your server is using Windows, your website is probably not using Apache. Note that I'm talking about the computer hosting your website, not your own personal computer. If you're not sure, ask your web host.
In addition to being hosted on an Apache web server, your web host needs to have enabled server overrides. This facility allows you to modify the web server configuration from your own website. In practice, this usually means that your website is hosted on a commercial web host rather than a free one. Free web hosts normally don't allow websites hosted on them to change the web server behaviour.
Both the above conditions must be true, or you won't be able to successfully do the things mentioned in this guide.
Protecting your directories from being listed by your website's visitors does not, in and of itself, make your website more secure. At best, it's security by obscurity — that is, you hope that by hiding stuff from view, nefarious visitors up to no good will not be able to get access to those things. It's the web equivalent of hiding your life savings under your mattress.
However, while you should of course implement other measures for securing your site, it's still good practice not to allow your directories to be listed by default. That way, at least, you don't make it too easy for others to survey your site for vulnerabilities. This is especially so if you have third-party scripts on your site (such as, for example, you run a blog).
It's important to realise this, so that you don't rely on this method alone for security.
Connect to your website using an FTP or SFTP software.
Go to the top web directory of your site, where you place your home page, and look for a file called "
.htaccess". If it exists,
download it to your computer.
If it does not exist, make sure that it is not hidden from your view. This has to be done from within your FTP program itself.
Depending on which program you use, you may need to log off, set a "Remote file mask"
-a" (without the quotation marks) in the options for the program, and log in again to check.
(The "remote file mask" is the term used in the FTP client that I use. Your program may use a different term.)
Another way to do this is to log into your site from your web host's control panel. Most, if not all,
commercial web hosts provide a way for you to view
your web directories from your web browser, as well as upload and download files from them. If your web host has an option to "show hidden files"
or some such thing, make sure you enable it. From your host's web interface, you should be able to locate and download your existing
Don't worry if, after all your efforts, you can't find any
.htaccess file in the main web directory. It's quite normal for a website
not to have one. You'll just have to create a blank one later. However, if one exists, it's important that you get it, so that we can add to the settings
in the file instead of overwriting them.
If you managed to find and download the
.htaccess file from your site, save a backup copy on your own computer. That is, make sure you have 2 copies
.htaccess file on your computer, the one you are about to modify, and a pristine copy of the original. The backup is useful in case you accidentally
make an error later.
If you've managed to get the
.htaccess file, open it in an
ASCII text editor (like Notepad). If one does not exist, use
the editor to create a new blank document. The rest of this article will assume that you have already started the editor with the
.htaccess open or with a blank document if no
.htaccess file previously existed.
WARNING: do not use a wordprocessor like Word, Office, or WordPad to create or edit your
.htaccess file. You should also not use a
WYSIWYG (What-You-See-Is-What-You-Get) web editor for this purpose.
If you do, your site will mysteriously fail to work when you upload the file to your web server. This is very important. There are no exceptions.
Add the following line to your
Make sure you hit the ENTER key (or RETURN key if you use a Mac) after entering the "Options -Indexes" words so that the file ends with a blank line.
Once you're done with disabling the directory listing
in the .htaccess file, save the file. If your file is a new one, and you're using Notepad, make sure you save it as
quotes and all. If you don't add the quotes,
Notepad will add a .txt extension to your
filename without telling you. Also, make sure the filename itself is exactly
.htaccess, that is, the name starts with a full stop ("period" if
you use US English), and is entirely in
small letters (lowercase). No other name is acceptable.
Then upload the file to your web server using an FTP/SFTP program (or with your web host's control panel). If you did not use an FTP program in the earlier step (for example, you used your web host's control panel instead), and don't know how to do so, check out my tutorial on How to Upload a File to Your Website Using the FileZilla FTP Client.
Whenever you modify your
.htaccess file, you should always check that your website still works after uploading it. I'm not kidding here.
.htaccess controls everything the server does with your site. A slight error can render your entire website unusable. So when I say test
your website, you should test not only that a directory without "index.html" can no longer be listed, but also check your main page and a few other
pages to make sure that they still load.
If anything goes wrong, delete the
.htaccess file on your website and your site should work again. For those who had an existing
on the site before, upload the backup copy to the site.
If all goes well, you should get a "Forbidden" error when you try to access a directory that doesn't have an index file.
This article can be found at https://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as: