Data Centers

Protect Webserver directories from unwanted browsing

The <strong>reddit</strong> social news aggregation site now has a category just for Webserver directories that are not protected from unauthorized browsing.

A surprising number of people have no idea that what they store on their Webservers can become unexpectedly public if it is not properly protected. If you are a Web developer, you should be aware of the fact that, often, a directory on your server can be accessed directly within a Web browser, bypassing the intended Webpage interface.

example directory index

As an example, if you go to a Website with a URL such as http://example.com/Wallpapers/Food.html, it may be possible to delete Food.html from the end of that URL and get a listing of all the contents of the directory — perhaps including photos from your bachelor party, hidden under the "3D" subdirectory, if you put them there thinking they would be safe from prying eyes because they aren't used on any Webpages.

At the reddit site, in the Open Directories subreddit, people have a place to submit unprotected directories they have found on the Internet to share with others. In some cases, the contents of these directories may be useful. In others, they may be embarrassing. In still others, they may be funny. Sometimes, they can be downright tragic. If you have any files stored in the content areas of your Webserver that are not intended for public consumption, now is the time to either remove those files or protect those directories from direct browsing.

In many cases, the simplest approach is to create a blank index.html file and place it in the directory. That way, a well-behaved browser will load the blank index page rather than a directory listing. This is not true security, however, as it relies on the HTTP client being well-behaved, and it's a lot of work to remember to do that for every single directory. A much simpler and more effective approach is to edit the .htaccess file for each directory you want protected from indexing by a browser. It is a simpler approach because .htaccess file directives are inherited by subdirectories.

Simply add this line to the .htaccess file in a given directory to prevent it from indexing:

  Options -Indexes

The same configuration directive can be used in Apache's httpd.conf file if you want that behavior to be global. In either file, if there is already an Options directive, you can just add -Indexes to the string of parameters if it is not already there.

An even simpler approach would be to simply avoid putting files that you don't want the world to see on a Webserver, of course.

About Chad Perrin

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks

Free Newsletters, In your Inbox