Taco Steemers

A personal blog.

How to avoid displaying directory listings on your website

Our websites contain directories with files that are not usually read by humans. Examples are directories containing Javascript files or files for XML feeds. Sometimes we want to disallow directory listings for these directory contents. Here is an example of a directory listing for my blog articles: Screenshot of a directory listing

Normal users of our site do not visit these directory listings. To reach them requires adjusting the address bar by hand.

The problems

The files in these directories are unlikely to be useful to visitors. If they are then the visitor should be guided towards them through your navigation structure. Then they will have the proper context to interpret these files.

The RSS and Atom feed files for my articles are available on my main page as well as the article category pages. There are also some automatically generated feed files that I don't list on my website because I don't think they will benefit people as much as the ones that I do list (1)☟ .

A potential issue is that the files, when loaded directly from a directory listing, may not have the header and footer they would have when they are loaded the usual way. You may have navigation elements in the header and terms and service elements in the footer. A document that is accessed directly trough a directory listing may not contain these elements.

A problem wih the example in the screenshot is that the links in that automatically generated listing do not work. The links lead the user to an error page.

For these reasons I think the directory listings are not beneficial to our visitors.

The solution

This website uses a standard webhosting plan. The web services that serve up the websites on these webhosting plans usually support the hypertext access file .

This .htaccess file can be used to hide the directory listings by using the following entry:

Options -Indexes

The attribute name is Indexes because a directory listing can also be called a directory index. The - means 'no'. Here is a manual on the Options entry .

After adding this the following message appears on my site instead of the directory listings:

Forbidden
You don't have permission to access this resource.

The .htaccess file can be placed in the root directory of your website. Your hosting provider may have instructions on their site as well.

If the .htaccess file is not supported in your situation you may want to contact your hosting provider and ask them to disable directory listings for your site.

An alternative solution

There is a manual workaround. It requires adding a file to each directory listing that we want to hide. To each directory that should not be listed we can add an index.html file. Webserver software is usually configured in such a way that it will prefer sending this file to the client instead of showing the directory listing. The file can be empty, show a "file not found" message, and it can show your website navigation.

Footnotes

(1) It would be preferable these unused files would not be generated. I have not figured out how to stop these files from being generated.