How To Disable Directory Listing in Apache

Apache is one of the most popular open-source web servers available, used by many websites globally. One of its features is the ability to list directories and their contents when there’s no index file present. This feature, while handy for some uses, can expose sensitive information about your website’s structure or content to the public. In this article, we will walk you through how to disable directory listing in Apache to enhance your website’s security.

What is Directory Listing?

Before we delve into disabling directory listing, it’s crucial to understand what it is. Directory listing is a feature that allows users to view the contents of a directory when there’s no index file (like index.html or index.php) present in that directory. When a user accesses such a directory, they see a list of the files and subdirectories contained therein.

Advertisement

While this can be useful in some instances, it can also be a security concern. If the feature is enabled, anyone can see your directories’ content and potentially access sensitive files or information. Therefore, disabling directory listing is an important step in hardening your Apache server’s security.

How to Disable Directory Listing

Here is a step-by-step guide to disabling directory listing in Apache:

Step 1: Access Apache Configuration File

To start, you need to access the Apache configuration file on your server. The location of this file depends on your server setup. The most common locations are ‘/etc/httpd/conf/httpd.conf’ for Red Hat/Fedora/CentOS distributions, and ‘/etc/apache2/apache2.conf’ for Debian/Ubuntu distributions.

You can use a command-line text editor such as nano or vim to open the configuration file:

sudo nano /etc/apache2/apache2.conf 

Or for Red Hat based systems:

sudo nano /etc/httpd/conf/httpd.conf 

Step 2: Modify Directory Configuration

Look for the <Directory> directive in the configuration file, which would look something like this:

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

In the `Options` line, the ‘Indexes’ value allows the server to generate directory listings. To disable directory listings, you need to remove ‘Indexes’ or replace it with ‘-Indexes’.

The modified directive should look something like this:

<Directory /var/www/>
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Or this:

<Directory /var/www/>>
    Options -Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Step 3: Save and Close the Configuration File

After you’ve made your changes, save the file and exit. If you’re using nano, you can do this by pressing CTRL+X, then Y, and then ENTER.

Step 4: Restart Apache Server

For the changes to take effect, you’ll need to restart your Apache server. You can do this with the following command:

• On Ubuntu/Debian:

  sudo systemctl restart apache2 
  

• On CentOS/Red Hat:

  sudo systemctl restart httpd 
  

Step 5: Test Your Changes

Now you should test your changes to ensure that directory listing has been successfully disabled. Navigate to a directory on your website that doesn’t have an index file. You should no longer see a list of files but an HTTP 403 Forbidden error, meaning access to the resource is denied.

Conclusion

Directory listing can be a useful feature, but it often poses more of a risk than a benefit. Disabling this feature on your Apache server can help protect sensitive files and information, reducing your website’s potential security vulnerabilities. Following the steps outlined in this article, you should be able to disable directory listing on your Apache server easily. Always remember to ensure your web server’s security settings are appropriately configured to fit your specific use case and needs.