Disable directory listings by default

Question

Disable directory listings by default

codeeditor opened this issue 11 years ago · 5 comments

I propose to prevent directory listings by default configuration. For now directories and files can be viewed by any visitor. It is vulnerable in the sense that these directories can contain configuration, private and backup files which can be used by the attackers. Thank you for great job!

Answer 1 · 2013-07-13T01:26:03.000Z

http://wiki.nginx.org/HttpAutoindexModule

Directory listing is already disabled by default. Can you double check that you don't have any "autoindex on" directives in your location blocks?

Answer 2 · 2013-07-13T09:01:26.000Z

When choosing NGINX installation indexing is disabled but when choosing Apache option [2] for installation script directory listings seems to be available for virtual-hosts. This is just my observation and it is not really issue for me - because I think all admins are customizing this setting for production server to meet their needs and Indexes option enabled by default is still useful in dev/testing environment especially. It's easy to change it by a2en/dis/mod autoindex anyway so everyone can customize it globally for server. Best regards.

Answer 3 · 2013-07-17T14:40:04.000Z

Ah, so this is for Apache installs.
I'll change the vhost defaults to not list directories when I get the chance to. Thanks!

Answer 4 · 2013-07-26T14:32:51.000Z

Thank you for changing it! Already tested Master (Apache) new configuration on Ubuntu Server 12.04.2 stable - everything working perfectly with "Options -Indexes". Best regards.

Answer 5 · 2013-08-04T01:14:20.000Z

Cheers and thanks for the feedback! Closing this now