Apache Web Server Prevent Directory / Folder Listing

Posted on in Categories , , , , , , , last updated December 4, 2007

Q. If there is no index.html or index.php, Apache displays all other files in a Directory. How do I force Apache web server not to display my directory / folder list?

A.This controlled by a module called mod_autoindex or mod_dir.

You can completely remove (or replace) automatic index generation as per your requirements. The IndexIgnore directive adds to the list of files to hide when listing a directory. File is a shell-style wildcard expression or full filename. Multiple IndexIgnore directives add to the list, rather than the replacing the list of ignored files. By default, the list contains . (the current directory). Open your httpd.conf or .htaccess file and append following directive to block auto indexing for all pdf and mp3 files:
IndexIgnore *.pdf *.mp3
To enforce or deny complete folder listing, use *:
IndexIgnore *
Save and close the file. Restart httpd if httpd.conf was updated:
# service httpd restart

Further readings:

=> Apache mod_autoindex help pages.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

14 comment

  1. Thank you for this article. I was looking for a “confirmation” about the wildcard character “*” to make sure it could be used with the directive “IndexIgnore” in order to prevent listing of files and folders on all Apache server directories. The apache mod_autoindex help page did not make any mention of it specifically, instead gives a rather generic example were wildcards are used in conjunction to file extension (like in: *.bak)… and although that is a clear hint to more tech savvy people, others may like to have it “spelled out” to be sure they will not run into problems.

    At first I thought about using “*.*”, but most likely that wouldn’t have worked on folders… so I thought that it must have been possible to just use “*” to mean “everything” (any folder and any file).

    Thanks again for spelling it out ;)

  2. I have changed th IndexIgnore * in my httpd file but still am able to see the files in the directory. Is there any other directives needs to get changed to disable the directory browsing.

  3. I have changed th IndexIgnore * in my httpd file but still am able to see the files in the directory. Is there any other directives needs to get changed to disable the directory browsing.

  4. I have changed th IndexIgnore * in my httpd file but still am able to see the files in the directory. Is there any other directives needs to get changed to disable the directory browsing.

    me too. any I dieal for this?

  5. Yes. You can modify the config file (httpd.conf) of the Apache server as follows:
    1. Options None
    2. AllowOverride All
    3. Restart the Apache server to take effect.

    If you can not access to the Apache’s config file. You should contact to the host’s admin to modify this file so that the line “IndexIgnore *” in your .htaccess file takes effect.

    Good luck.

  6. I prefer Scott’s solution; use it on your .htaccess inside the folder you want to hide. It’s better (and customizable) a 505 forbidden page than a empty folder list. Thanks for the post.

  7. I want to configure the folder to display the files for download, but want to customize the page that is returned by the webserver. Anyway of doing that without creating a separate page.

  8. HI

    Can anyone tell me how to remove items from the IndexIgnore list? New commands in a subdirectory only add to the list, but I need some files to be displayed which would be hidden some levels above. I didn’t finde anything in the official documentation, but I hope I have only overlooked something…

    Is there a way to acchieve this?

    Sebastian

  9. The main problem I have had is that this problem occurred on my hosting suppliers server. I can not alter their system.
    My problem was that my site starts with index.php.
    If a user entered the root URL as an address without a file name
    ( http://www.someaddress/ );-
    In MS IE, index.php is run.
    In Firefox, a list of all Files and Folders is displayed.

    I cured the problem by creating a file called default.html with a javascript redirect to index.php.
    This has solved the problem in all browsers that I have tested.
    The full code for default.html is below.

    function move()
    {
    window.location = ‘index.php’;
    }

    I Hope this helps some one

  10. Hey Team,
    thanks for the help. I was trying lots of opportunities, for whatever reason I did not find any source which explained my problem and its solution so clear.
    Go on with your work,
    Tom

  11. i want to know how to create a new folder inside apache tomcat in web-app folder.
    when i entered in web-app and i try to create a newfolder but it will shows an error message.the error message is “Acess Denied”unable to create a folder…
    will you give me the easiest way to include a new folder in apache software inside web-apps folder

Leave a Comment