How to Prevent a Directory Listing of Your Website with .htaccess
by H3X KH4N.
If you create a new directory (or folder) on your website, and do not put an "index.html" file in it, you may be surprised to find that your visitors can get a directory listing of all the files in that folder. For example, if you create a folder called "incoming", you can see everything in that directory simply by typing "http://www.example.com/incoming/" in your browser. No password or anything is needed.
This article shows you how you can configure your web server so that it does not show a directory listing by default.
Your Website Must Be on an Apache Web Server
For the method described in this article to work, your site should be hosted on an Apache web server. This probably constitutes the majority of websites on the Internet, so it is likely that you satisfy this requirement. In general, if your web server (the computer that your site is running on) is using Linux or FreeBSD, chances are that it's on an Apache server. If your server is using Windows, your website is probably not using Apache. Note that I'm talking about the computer hosting your website, not your own personal computer. If you're not sure, ask your web host.
Your Web Host Must Have Enabled .htaccess Server Overrides
In addition to being hosted on an Apache web server, your web host needs to have enabled server overrides. This facility allows you to modify the web server configuration from your own website. In practice, this usually means that your website is hosted on a commercial web host rather than a free one. Free web hosts normally don't allow websites hosted on them to change the web server behaviour.
Both the above conditions must be true, or you won't be able to successfully do the things mentioned in this guide.
Is Protecting Your Directory Listing From View a Security Measure?
Protecting your directories from being listed by your website's visitors does not, in and of itself, make your website more secure. At best, it's security by obscurity — that is, you hope that by hiding stuff from view, nefarious visitors up to no good will not be able to get access to those things. It's the web equivalent of hiding your life savings under your mattress.
However, while you should of course implement other measures for securing your site, it's still good practice not to allow your directories to be listed by default. That way, at least, you don't make it too easy for others to survey your site for vulnerabilities. This is especially so if you have third-party scripts on your site (such as, for example, you run a blog).
It's important to realise this, so that you don't rely on this method alone for security.
Make a Backup of the .htaccess File
If you managed to find and download the .htaccess file from your site, save a backup copy on your own computer. That is, make sure you have 2 copies of the .htaccess file on your computer, the one you are about to modify, and a pristine copy of the original. The backup is useful in case you accidentally make an error later.
Create or Open the .htaccess File
If you've managed to get the .htaccess file, open it in an ASCII text editor (like Notepad). If one does not exist, use the editor to create a new blank document. The rest of this article will assume that you have already started the editor with the .htaccess open or with a blank document if no .htaccess file previously existed.
WARNING: do not use a wordprocessor like Word, Office, or WordPad to create or edit your .htaccess file. You should also not use a WYSIWYG (What-You-See-Is-What-You-Get) web editor for this purpose. If you do, your site will mysteriously fail to work when you upload the file to your web server. This is very important. There are no exceptions.
Add the following line to your .htaccess file.
If all goes well, you should get a "Forbidden" error when you try to access a directory that doesn't have an index file.