Disable Directory Indexes

Category: Blog • Posted by Jeff Starr • Updated:

“Directory indexes”, aka “directory indexing”, “directory views”, or “directory listings”, are easy to disable using a small slice of .htaccess. This quick tutorial shows you how to make it happen in two seconds.

By default Apache servers will display the file contents of any directory that does not include an index file. For example, if your directory does not include an index.html, index.php, or similar index file, Apache will display its contents for the whole wide world to see. You can check out an example of directory views at Apache.org.

Although there are cool things you can do with directory views, in general they can be a security risk because they reveal the structure and contents of whatever is on your server. It all depends on the directory and its contents. In some cases it’s fine to enable directory indexes; in others, you may risk revealing sensitive files and/or data.

Disable Directory Indexes

Fortunately, Apache provides a simple directive for disabling directory views for your entire site:

Options -Indexes

Just pop that sucker into your site’s root .htaccess file and directory indexes will be disabled across your entire site, or sitewide, as it were. Nothing else needs to be done, no edits required, just copy paste done.

No IfModule required

The Options directive is part of the Apache core, and requires no <IfModule> conditional check. If Apache is running on the server, this code will work to disable all directory views. Thus, if you see the Options directive written like so:

<IfModule mod_autoindex.c>
	Options -Indexes

This is incorrect because Options is not a part of the mod_autoindex module, so it doesn’t make sense to check for it before calling the directive. I’ve seen this mistake in various tutorials and it’s usually a good sign that the author hasn’t read (or doesn’t understand) the official Apache documentation.