Skip to content

How to Forbid Directory Listing by Apache httpd Server

  • Apache

If there is no index or default www file in directories, httpd returns the contents of directory instead like this.

Index of /temp

[ICO] Name Last modified Size Description

[DIR] Parent Directory -
[TXT] temp.html 04-May-2012 05:10 300
[TXT] temp2.html 24-Nov-2012 09:20 200

Apache/2.2.26 (CentOS) Server at www.example.com Port 80

If you'd like to prevent the directory to be listed, you should reconfigure httpd.conf, here are the steps to do it:

  1. Find the right directive to change.
  2. If you want to forbid all directory listing, then find <Directory "DocumentRoot"> directive, for example:

    <Directory "/var/www/html">
    ...
        Options Indexes FollowSymLinks
    ...
    </Directory>
  3. Remove "Indexes" like this.
  4. <Directory "/var/www/html">
    ...
        Options FollowSymLinks
    ...
    </Directory>

    Or, add a minus sign before "Indexes".

    <Directory "/var/www/html">
    ...
        Options -Indexes FollowSymLinks
    ...
    </Directory>
  5. Restart httpd

Now, you can try to list the directory again, this time, you should receive 403 error like this:

Forbidden

You don't have permission to access /temp/ on this server.

Apache/2.2.26 (CentOS) Server at www.example.com Port 80

For more options of httpd server, please refer to the official document: core - Apache HTTP Server Version 2.4.

Leave a Reply

Your email address will not be published. Required fields are marked *