Directory listings
Description
Directory listing occurs when a web server is configured to display the contents of a directory when no default index file (such as index.html or index.php) is present. This misconfiguration allows anyone to browse the directory structure and view all files within accessible folders, potentially exposing sensitive files, backup copies, configuration files, or other resources that should remain hidden from public access.
Remediation
Disable directory listing on your web server to prevent unauthorized browsing of directory contents. Implementation varies by web server:
Apache: Add or modify the Options directive in your .htaccess file or virtual host configuration:
Options -Indexes
Nginx: Ensure autoindex is set to off in your server or location block:
location / {
autoindex off;
}IIS: Open IIS Manager, select the website or directory, double-click "Directory Browsing," and click "Disable" in the Actions pane.
Additionally, ensure that all public directories contain appropriate index files (index.html, index.php, etc.) and review the listed directories to verify no sensitive files are exposed. Remove or relocate any sensitive files that should not be publicly accessible.