Protect Webserver directories from unwanted browsing

by apotheon in Data Centers

on July 9, 2009, 2:25 AM PDT

Protect Webserver directories from unwanted browsing

The reddit social news aggregation site now has a category just for Webserver directories that are not protected from unauthorized browsing.

A surprising number of people have no idea that what they store on their Webservers can become unexpectedly public if it is not properly protected. If you are a Web developer, you should be aware of the fact that, often, a directory on your server can be accessed directly within a Web browser, bypassing the intended Webpage interface.

As an example, if you go to a Website with a URL such as http://example.com/Wallpapers/Food.html, it may be possible to delete Food.html from the end of that URL and get a listing of all the contents of the directory — perhaps including photos from your bachelor party, hidden under the “3D” subdirectory, if you put them there thinking they would be safe from prying eyes because they aren’t used on any Webpages.

At the reddit site, in the Open Directories subreddit, people have a place to submit unprotected directories they have found on the Internet to share with others. In some cases, the contents of these directories may be useful. In others, they may be embarrassing. In still others, they may be funny. Sometimes, they can be downright tragic. If you have any files stored in the content areas of your Webserver that are not intended for public consumption, now is the time to either remove those files or protect those directories from direct browsing.

In many cases, the simplest approach is to create a blank index.html file and place it in the directory. That way, a well-behaved browser will load the blank index page rather than a directory listing. This is not true security, however, as it relies on the HTTP client being well-behaved, and it’s a lot of work to remember to do that for every single directory. A much simpler and more effective approach is to edit the .htaccess file for each directory you want protected from indexing by a browser. It is a simpler approach because .htaccess file directives are inherited by subdirectories.

Simply add this line to the .htaccess file in a given directory to prevent it from indexing:

  Options -Indexes

The same configuration directive can be used in Apache’s httpd.conf file if you want that behavior to be global. In either file, if there is already an Options directive, you can just add -Indexes to the string of parameters if it is not already there.

An even simpler approach would be to simply avoid putting files that you don’t want the world to see on a Webserver, of course.

By apotheon

\ I'm an IT consultant, developer, and writer. I hold both MS and CompTIA certs and am a graduate of two IT industry trade schools. I was at one time the datacenter technician for the Wikimedia Foundation, probably the \"coolest\" job I've ever had: major geek points for being the first-ever paid employee of the Wikimedia Foundation. I was sad to give it up, but moving to Colorado kinda makes working in a Florida datacenter difficult. I have also written hundreds of articles for TechRepublic. \ Aside from directly work-related skills, I'm an ethical theorist and industry analyst with a keen eye toward open source technologies and intellectual property law. Both parents have worked in IT/IS about as long as I've lived, and I have an enthusiastic interest in computing even outside my profession. I've been playing with computers off and on since about 1980. I started just in time to see an IBM 7072 in operation. \ I'm an active member of a great many Internet-enabled and meatspace computing enthusiast and professional communities including mailing lists, LUGs, and so on. \ See more at: \ \ Apotheonic Labs \ blogstrapping \ Chad Perrin Dot Com \ Copyfree Initiative \ Singular IT, LLC \ UnivAcc \ \ You can find many of my TR articles in a publication listing at Apotheonic Labs, though changes in TR's CSS have broken formatting in a lot of them. \ \ \ Open Works License | http://owl.apotheon.org \

Account Information

Contact apotheon

Your message has been sent
|
See all of apotheon's content

Editor's Picks

Image: Rawpixel/Adobe Stock

TechRepublic Premium
TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

TechRepublic Staff
Published: March 14, 2023, 9:10 AM EDT Modified: March 15, 2023, 9:16 AM EDT Read More See more TechRepublic Premium
Image: Blue Planet Studio/Adobe Stock

Payroll
The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

Ali Azhar
Published: February 28, 2023, 11:11 AM EST Modified: March 20, 2023, 2:55 PM EDT Read More See more Payroll
Image: Microsoft.

Software
Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

Mary Branscombe
Published: February 28, 2023, 2:59 PM EST Modified: February 28, 2023, 2:59 PM EST Read More See more Software
Image: tanatat/Adobe Stock

CXO
Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Owen Hughes
Published: March 3, 2023, 3:12 PM EST Modified: March 16, 2023, 12:56 PM EDT Read More See more CXO
Image: Nuthawut/Adobe Stock

Software
The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

Brenna Miles
Published: December 27, 2022, 11:45 AM EST Modified: March 16, 2023, 2:25 PM EDT Read More See more Software
Image: Song_about_summer/Adobe Stock

Security
1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

Karl Greenberg
Published: March 2, 2023, 3:44 PM EST Modified: March 7, 2023, 4:10 PM EST Read More See more Security

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

PURPOSE The purpose of this Security Response Policy from TechRepublic Premium is to outline the security incident response processes which must be followed. This policy will assist to identify and resolve information security incidents quickly and effectively, thus minimizing their business impact and reducing the risk of similar incidents recurring. It includes requirements for both ...

PURPOSE This policy from TechRepublic Premium provides guidelines for reliable and secure backups of end user data. It outlines the responsibilities of IT departments and employees to identify tasks and action items for each group. The policy can be customized to fit the needs of your organization. From the policy: IT STAFF RESPONSIBILITIES IT staff ...

Protect Webserver directories from unwanted browsing

Protect Webserver directories from unwanted browsing

Editor's Picks

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

The Best Human Resources Payroll Software of 2023

Windows 11 update brings Bing Chat into the taskbar

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

The 10 best agile project management software for 2023

1Password is looking to a password-free future. Here’s why

Employee privacy policy

Security response policy

End user data backup policy

Electronic communication policy

Account Information

Protect Webserver directories from unwanted browsing

Daily Tech Insider Newsletter

Account Information

Share with Your Friends

Account Information

Contact apotheon

Editor's Picks

Daily Tech Insider Newsletter