When installing Apache on a Linux system, the directory content listing is enabled by default. This may be a desirable features in some scenarios, but it's a potential security hole in others. It's easy enough to turn this setting on or off for each website (virtual host) that you have set up.

In this guide, we'll go over the step by step instructions to edit the Apache configuration to hide directory content listing for Apache.

In this tutorial you will learn:
  • How to hide directory content listing in Apache
Receiving the 403 Forbidden error when directory content listing is turned off
Receiving the 403 Forbidden error when directory content listing is turned off
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software Apache
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

Disable Content Listing


SUBSCRIBE TO NEWSLETTER
Subscribe to our NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


By default, content listing is enabled. This means if you upload files to a directory, and fail to upload some kind of index file (like index.html or index.php), the contents of the directory are listed and browsable by default. See the screenshot below for an example.

Directory contents are currently being listed on the website
Directory contents are currently being listed on the website

The files you see listed in the screenshot would always be accessible, so "hiding" them is more like security through obscurity. Nevertheless, disabling the directory listing will make it harder for attackers to learn of your site's directory structure and find sensitive files.

  1. Open the virtual host configuration file with nano or your favorite text editor. Note that you may need to replace 000-default.conf with the name of your own configuration file.
    $ sudo nano /etc/apache2/sites-available/000-default.conf
    
  2. Within this file, add the following code inside of the <Directory> directive.
    Options FollowSymLinks
    AllowOverride None
    
  3. Edit your virtual host config with the -Indexes setting to turn off content listing
    Edit your virtual host config with the -Indexes setting to turn off content listing
  4. Save your changes to the file and close it. Then restart Apache for the changes to take effect.
    $ sudo systemctl restart apache2
    
    Red Hat based systems:
    
    $ sudo systemctl restart httpd
    


You should now receive a 403 Forbidden error when you try to access a directory that doesn't have an index file.

Receiving the 403 Forbidden error when directory content listing is turned off
Receiving the 403 Forbidden error when directory content listing is turned off

Closing Thoughts

In this guide, we saw how to disable directory content listing in Apache web server. Disabling it may be seen as "security through obscurity" but it's still a recommended setting to toggle off, unless you specifically need it.

FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.