Htaccess: Prevent Directory Listing

From The Uniform Server Wiki
Jump to navigation Jump to search

.htaccess: Introduction | Site error documents | Prevent Directory Listing | Redirect | Preventing hot linking |

.htaccess - Apache directory-level configuration file

Prevent Directory (Folder) Listing

If you have read the Site error documents page, you will have created a directory named error. Type the following into your browser address bar: http://localhost/errors/ and you will be greeted with a full listing of its content (directories and files).

Try it on any directory that does not contain one of the following pages:

  • index.html, index.shtml, index.html.var
  • index.htm, index.php3, index.php
  • index.pl, index.cgi

and you will receive a listing of its contents, as would anyone on the Internet.

While this may be useful in some cases, this is not a desirable response for security reasons. The following shows you how to prevent this listing.

.htaccess commands

There is only a single command to learn:

Command Comment

IndexIgnore *

This prevents listing of all the files; the * is a wildcard that matches all files

IndexIgnore *.gif *.jpg 

You can be selective and state the file types you do not want listed. Again the wildcard matches all files; in this example all gif and jpg image files are targeted and will not be displayed, while all others will be displayed.

Personalise index page listings

If you are not going to prevent directory listings, consider personalising the page displayed.

You can personalise the index pages listed by adding a header and footer. This requires either one of two files placed in the directory with the .htaccess file as follows:

File name Comment

HEADER.html

This is just a text file containing something like this:

<h1>Power of .htaccess</h1>

Note: You can insert any regular HTML tag. These are not complete HTML pages, just snippets that are included.

README.html

Again this is a text file that uses any regular HTML tag; for example:

<h1>More Power of .htaccess</h1>'''
<p>Why the name README and not FOOTER, I have no idea</p>

Note: You can insert any regular HTML tag. These are not complete HTML pages, just snippets that are included.