Directory listing appearing in a production environment can be a security risk. So, how can you disable directory listing in Apache XAMPP and other web servers?
If you’re developing a website, security should also be a priority. When directory listing is publicly accessible, it creates a vulnerability that could be exploited.
Some web servers enable directory listing by default, including Apache XAMPP. This is one of the reasons why XAMPP is not recommended for production environments.
So, what exactly is directory listing, and why should it be hidden? How can you disable directory listing in Apache XAMPP, Nginx, LiteSpeed, and Lighttpd? Find out in this complete guide.
Table of Contents
What is Directory Listing and Why Should It Be Hidden?
What is directory listing, and why is it a security risk? Directory listing is a web server function that displays the contents of a directory when no index.html or index.php file is present.
For example, if you access https://tonjoo.com/konten/ and there is no index.php file in the konten directory, the server might show a list of files and folders within that directory, as seen below:
Directory listing reveals the structure of your website, making it accessible through a browser.
If you are using XAMPP as a web server in a production environment, it is highly recommended to disable directory listing.
Why should directory listing be hidden? Because exposing your website’s structure allows unauthorized users to access sensitive files.
For instance, critical files such as database configuration files may contain important information like usernames and passwords.
While accessing directory listing requires knowing the exact directory path, once discovered, it poses a serious security risk.
So, how do you disable directory listing? Below, we provide a guide on disabling directory listing in Apache XAMPP, along with tutorials for other web servers.
How to Disable Directory Listing in Apache XAMPP
If you have installed XAMPP on Linux or Windows, directory listing is enabled by default because XAMPP is designed for development environments.
However, if you want to use XAMPP in a production environment, directory listing must be disabled. Here’s how to do it:
- Open XAMPP Control Panel and ensure that Apache is running.
- Under the Apache module, click Config and select Apache (httpd.conf).
- Find the Options directive and change +Indexes to -Indexes, as shown below:
<Directory /your/website/directory> Options -Indexes </Directory>
- Save the configuration changes.
- Restart Apache and try accessing a directory that previously displayed a directory listing. If you see a Forbidden error, the process was successful.
Now, your directory listing is no longer publicly accessible. However, this is just one security measure for XAMPP web servers.
If you insist on using XAMPP for production environments, it’s also important to change the MySQL password and implement additional security measures.
How to Disable Directory Listing on Other Web Servers
Besides Apache XAMPP, you can also disable directory listing on Nginx, LiteSpeed, and Lighttpd. Here’s how:
1. Disabling Directory Listing in Nginx
By default, directory listing in Nginx is disabled. However, you can check or modify the settings with the following steps:
- Open the Nginx configuration file
nginx.conf. You can find it in/usr/local/nginx/conf,/etc/nginx, or/usr/local/etc/nginx. - The file might look like this:
server { listen 80; server_name tonjoo.com www.tonjoo.com; access_log /var/log/nginx/access.log; root /path/to/root; location / { index index.php index.html index.htm; } location /somedir { autoindex on; } } - Check line 10
autoindex on. If it’s enabled, directory listing is active. - To disable directory listing, change autoindex on to
autoindex off. - Save the changes and restart Nginx for the update to take effect.
2. Disabling Directory Listing in LiteSpeed
If you use LiteSpeed web server, you can disable directory listing at the server level or for a specific website. To disable directory listing at server level, open the LiteSpeed configuration file:
- The file is usually named
httpd_config.xml. You can also access it via the LiteSpeed control panel. - Find the line
<indexFiles>index.html, index.php</indexFiles>. - Add this line below it:
<autoIndex>0</autoIndex>. - Save the file and restart LiteSpeed.
To disable directory listing for a specific website, open the configuration file for the website. Subsequently, do these steps:
- Open the file path which usually is located at
/VIRTUAL_HOST_ADI/conf/vhconf.xml. - Find this line
<indexFiles>index.html, index.php</indexFiles>. - Add this line below it
<autoIndex>0</autoIndex>. - Save the file and restart LiteSpeed.
Now, directory listing is disabled on LiteSpeed for your entire server or just the specific website.
3. Disabling Directory Listing in Lighttpd
By default, directory listing in Lighttpd is disabled. However, certain configurations might enable it. To disable it, follow these steps:
- Open the configuration file
/etc/lighttpd/conf.d/dirlisting.conf. - Look for this line:
dir-listing.activate = "disable". If this line exists, directory listing is already disabled. - If not, change the existing setting to disable.
- Save the file and restart Lighttpd.
Now, directory listing is turned off in Lighttpd, preventing unauthorized access to directory contents.
Successfully Disabled Directory Listing in Apache XAMPP?
That wraps up our tutorial on disabling directory listing for Apache XAMPP, Nginx, LiteSpeed, and Lighttpd. By turning off directory listing, you’ve closed a potential security loophole.
If you’re still uncertain about your website security, consulting with a professional web development team like Tonjoo could be a good option.
For large-scale corporate or government websites, security must be a top priority. Don’t let vulnerabilities like Google Dorking put your data at risk.
Read similar articles by Moch. Nasikhun Amin on the Tonjoo blog about WordPress, WooCommerce, plugins, and other web development topics.
Updated on March 25, 2025 by Moch. Nasikhun Amin
