For those who are developing websites, it’s important to prioritize security as well. If directory listing is publicly accessible, it becomes a security vulnerability.
Some web servers, by default, enable directory listing, including Apache XAMPP. This is one of the reasons not to use XAMPP in a production environment.
So, what is directory listing, and why is a directory listing supposed to be hidden? How to disable directory listing in Apache XAMPP, Nginx, LiteSpeed, and Lighttpd? Here’s the complete information for you!
Table of Contents
What is Directory Listing and Why Shouldn’t It be Visible?
What is Directory Listing and Why Is It Dangerous? Directory listing is a function of the web server that displays the contents of a directory when there are no files in the directory index.html or index.php.
For example, if you access https://tonjoo.com/konten/ but there are no files index.php in the directorty konten, the server may display a list of files and folders within that directory. Here’s an example:
Directory listing is a list of directories containing your website’s content that can be accessed through a browser.
If you decide to use XAMPP as a web server in a production environment, you should disable this directory listing.
The reason why directory listing should not be visible is that revealing your website’s structure allows someone to access sensitive files on your website.
For example, files like the database config, which critical information such as usernames and passwords are stored.
To access directory listing, someone must already know the path to it. However, once the path is known, it would be dangerous.
So, how can you disable directory listing? Below, we provide steps to disable directory listing for Apache XAMPP. Apart from that, we’ve included tutorials for other web servers as well.
How to Disable Directory Listing Apache XAMPP
If you install XAMPP on Linux or install XAMPP on Windows, directory listing in XAMPP is enabled by default because XAMPP is designed for an environment development.
Therefore, if you plan to use XAMPP in an environment production, directory listing should be disabled. Here is how to disable directory listing in XAMPP:
- Open the XAMPP Control Panel and ensure that Apache is running.
- In the Apache module row, click Config > select the option Apache (httpd.conf)
- Find the line Options. Change to
+Indexesmenjadi-Indexes<Directory /your/website/directory> Options -Indexes </Directory>
- Save the configuration changes.
- Restart Apache, then try accessing the path that previously displayed the directory listing. If a Forbidden error appears, the process was successful
Thus, your directory listing will no longer be accessible by the public. However, this is only one of the security measures for the XAMPP web server.
If you insist on using XAMPP for an environment production, you should also change the MySQL XAMPP password and implement additional protection steps.
How to Disable Directory Listing on Other Web Servers
Here are several ways to disable directory listing on other web servers, including Nginx, LiteSpeed, and Lighttpd:
1. Disabling Directory Listing on Nginx
By default, directory listing is already disabled in Nginx. To check or modify the directory listing settings, follow these steps:
- Open the Nginx configuration file named
nginx.conf. You can find it on path/usr/local/nginx/conf,/etc/nginx, or/usr/local/etc/nginx. - Here is the file
nginx.conflooks like:server { listen 80; server_name tonjoo.com www.tonjoo.com; access_log /var/...........................; root /path/to/root; location / { index index.php index.html index.htm; } location /somedir { autoindex on; } } - Look at parameter line 10. If
autoindex on, it means directory listing enable. For enabling it, please change intoautoindex off. - If you’re done, then restart Nginx.
2. Disabling Directory Listing on LiteSpeed
If you are using the LiteSpeed web server, you can disable directory listing at either the web server level or the website level. To disable directory listing at the web server level, follow these steps:
- Open the LiteSpeed configuration file named
httpd_config.xmlor you can use the LiteSpeed control panel. - Find the line
<indexFiles>index.html, index.php</indexFiles>. - Add the code
<autoIndex>0</autoIndex>on the below - Save it dan restart,
To disabled directory listing at the website level, follow these steps:
- Open path file
/VIRTUAL_HOST_ADI/conf/vhconf.xml. - Find the line
<indexFiles>index.html, index.php</indexFiles>. - Add the code
<autoIndex>0</autoIndex>di bawahnya. - Save dan restart.
3. Disabling Directory Listing on Lighttpd
By default, directory listing in Lighttpd is disabled. However, if you configure it, sometimes directory listing is also enabled. To disable directory listing, follow these steps:
Secara bawaan, directory listing di Lighttpd sudah disable. Namun jika dilakukan konfigurasi, kadang directory listing juga ikut enabled. Untuk menonaktifkannya, berikut caranya:
- Open the file
dirlisting.confwith path/etc/lighttpd/conf.d/dirlisting.conf. - If there is a line like
dir-listing.activate ="disable", it means the directory listing is disabled. - If it still
enable, then change it todisable. - Save dan restart.
Successfully Disabled Directory Listing on Apache XAMPP?
That’s the tutorial on how to disable Apache XAMPP, Nginx, LiteSpeed, Lighttpd directory listing. By disabling directory listing on your web server, you’ve closed one potential security vulnerability.
If you are not sure about your website’s security system, you can try consulting with a web development service such as Tonjoo.
Especially if you are building a large corporate or government website, you must really pay attention to that security. Don’t let hacking using Google Dork happen again.
Updated on November 23, 2024 by Anisa K. Juniardi
