Directory Listing
Disable directory listing on Web Server
Last updated
Was this helpful?
Disable directory listing on Web Server
Last updated
Was this helpful?
Directory listing is a feature that is enable when the web servers list the content of a directory when there is no index file (e.g. index.php or index.html) present. Therefore if a request is made to a directory on which directory listing is enabled, and there is no index file such as index.php or index.asp, even if there are files from a web application, the web server sends a directory listing as a response. When this happens there is an information leakage issue, and the attackers can use such information to craft other attacks, including direct impact vulnerabilities such as XSS.
To disable directory listing on the Tomcat web server, open the conf/web.xml file in the directory where Tomcat is installed.
Find the listing part of the <param-name> value in the <init-param> tag. As you can imagine, <param-value> is the determining factor for us in this section. If this field is true and you want to disable directory listing, change this field to false.
You can use the following code to modify:
The directory listing feature on Nginx is controlled by the ngx_http_index_module. Directory listing is disabled by default on the Nginx configuration file. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes.
The default configuration file of a Nginx server is called nginx.conf and can be found in /usr/local/nginx/conf, /etc/nginx or /usr/local/etc/nginx. If the default value has been changed, you can see a setting similar to the following:
In this section, the determinant parameter is autoindex on; as we mentioned above. In the above example, the directory listing is configured only for the somedir directory. If no directory is specified (e.g. location / {autoindex on;}), the rule will be applied to all the folders. To disable directory listing, we need to switch the value of the autoindex to off. Do not forget to run the below command in order for changes to go into effect:
Similar to all other web servers we've covered so far, on the LiteSpeed web server you can disable directory listing at both web server and website level. To disable directory listing at the server level, you can manually update the httpd_config.xml file. On the other hand, you can also do it by using LiteSpeed server control panel.
httpd_config.xml file:
As you can see from the code example in the screenshot above, if you want to disable directory listing at the server level, add the following line to the httpd_config.xml file:
If you want to enable or disable the directory listing at website level you need to follow the /VIRTUAL_HOST_ADI/conf/vhconf.xml path and make the relevant definitions for the file you access.
The directory listing on the IIS web server is disabled by default. However, it is possible to disable directory listing from the configuration interface of IIS web server if it was enabled because of a regression or configuration changes.
You can disable directory listing from the Directory Browsing settings in the IIS manager console.
Or else you can execute the following command in the command line: appcmd set config /section:directoryBrowse /enabled:false
In order to disable directory listing on an Apache web server you have to create .htaccess file in the related application directory. You can add the following lines to the httpd.conf file or replace the existing lines with the following:
As you can see from the example code above, you should remove the Indexes and MultiViews statements for the directory listing feature will be disabled safely on an Apache web server.
