How to Forbid Directory Listing by Apache httpd Server

If there is no index or default www file in directories, httpd returns the contents of directory instead like this.

Index of /temp

[ICO] Name Last modified Size Description

[DIR] Parent Directory -
[TXT] temp.html 04-May-2012 05:10 300
[TXT] temp2.html 24-Nov-2012 09:20 200

Apache/2.2.26 (CentOS) Server at www.example.com Port 80

If you'd like to prevent the directory to be listed, you should reconfigure httpd.conf, here are the steps to do it:

  1. Find the right directive to change.
  2. If you want to forbid all directory listing, then find <Directory "DocumentRoot"> directive, for example:

    <Directory "/var/www/html">
    ...
        Options Indexes FollowSymLinks
    ...
    </Directory>
  3. Remove "Indexes" like this.
  4. <Directory "/var/www/html">
    ...
        Options FollowSymLinks
    ...
    </Directory>

    Or, add a minus sign before "Indexes".

    <Directory "/var/www/html">
    ...
        Options -Indexes FollowSymLinks
    ...
    </Directory>
  5. Restart httpd

Now, you can try to list the directory again, this time, you should receive 403 error like this:

Forbidden

You don't have permission to access /temp/ on this server.

Apache/2.2.26 (CentOS) Server at www.example.com Port 80

For more options of httpd server, please refer to the official document: core - Apache HTTP Server Version 2.4.

Leave a Reply

Your email address will not be published. Required fields are marked *