Block Directory Listing in .htaccess

TL;DR

Prevent people from seeing a list of files and folders on your website by adding options to your .htaccess file. This stops unwanted access to sensitive content.

How to Block Directory Listing in .htaccess

1. Understand the Problem: By default, some web servers will show a list of files and folders if there’s no index file (like index.html or index.php) present in a directory. This can expose important information.
   • This is often called ‘directory listing’.
   • The Options Indexes directive controls this behaviour.
2. Access Your .htaccess File: You’ll need to edit the .htaccess file in your website’s root directory (or the specific directory you want to protect). This is usually done via an FTP client or a file manager provided by your web hosting provider.
   • Important: Make sure your file manager shows hidden files. .htaccess files start with a dot, so they’re often hidden by default.
3. Edit the .htaccess File: Open the .htaccess file in a text editor.
   • If the file doesn’t exist, create it.
4. Add or Modify the Options Directive: Add or modify the following line to disable directory listing:

   Options -Indexes

   This tells the server not to show a list of files and folders if no index file is found.

5. Alternative: Prevent Listing for Specific Directories If you only want to block directory listing in certain directories, place the Options -Indexes line inside a <Directory> block. For example:

   
   <Directory /path/to/your/directory/
     Options -Indexes
   </Directory>
   

   Replace /path/to/your/directory/ with the actual path to the directory you want to protect.

6. Add a Redirect (Optional): To make it even more secure, redirect users who try to access a directory without an index file to another page. For example, your homepage:

   Redirect 301 /path/to/your/directory/ /

   Replace /path/to/your/directory/ with the actual path and / with the URL of your homepage.

7. Save and Test: Save the changes to your .htaccess file.
   • Clear your browser cache.
   • Try accessing a directory without an index file. You should now see a 403 Forbidden error or be redirected, instead of a list of files.

Important Considerations

• Server Configuration: Some servers might ignore the .htaccess file. If this happens, you’ll need to contact your web hosting provider for assistance.
• Permissions: Ensure that your directory permissions are set correctly to prevent unauthorized access.
• cyber security: Blocking directory listing is a basic cyber security measure. It’s important to implement other security practices as well, such as strong passwords and regular software updates.