When installing Apache on a Linux system, the directory content listing is enabled by default. This may be a desirable features in some scenarios, but it’s a potential security hole in others. It’s easy enough to turn this setting on or off for each website (virtual host) that you have set up.
In this guide, we’ll go over the step by step instructions to edit the Apache configuration to hide directory content listing for Apache.
In this tutorial you will learn:
- How to hide directory content listing in Apache
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | Apache |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Disable Content Listing
By default, content listing is enabled. This means if you upload files to a directory, and fail to upload some kind of index file (like index.html or index.php), the contents of the directory are listed and browsable by default. See the screenshot below for an example.
The files you see listed in the screenshot would always be accessible, so “hiding” them is more like security through obscurity. Nevertheless, disabling the directory listing will make it harder for attackers to learn of your site’s directory structure and find sensitive files.
- Open the virtual host configuration file with nano or your favorite text editor. Note that you may need to replace
000-default.confwith the name of your own configuration file.$ sudo nano /etc/apache2/sites-available/000-default.conf
- Within this file, add the following code inside of the <Directory> directive.
Options FollowSymLinks AllowOverride None
- Save your changes to the file and close it. Then restart Apache for the changes to take effect.
$ sudo systemctl restart apache2 Red Hat based systems: $ sudo systemctl restart httpd
You should now receive a 403 Forbidden error when you try to access a directory that doesn’t have an index file.
Closing Thoughts
In this guide, we saw how to disable directory content listing in Apache web server. Disabling it may be seen as “security through obscurity” but it’s still a recommended setting to toggle off, unless you specifically need it.
