Disable directory indexing
Depending on the operating system and distribution, Apache’s default configuration may have directory indexing enabled by default.
This allows search engines to index the file structure of your site and potentially reveal sensitive data. The screenshot below shows an example of the kind data that can be retrieved with a simple HTTP request.
In this example only the list of extensions are revealed, but more sensitive data can also be exposed.
It is strongly recommended that you disable directory indexes.
If your web server requires directory indexing in other places outside of your TYPO3 installation, you should consider deactivating the option globally and only enable indexing on a case-by-case basis.
Apache web server
By removing the Indexes
from Options
(or not setting it in the first place),
Apache does not show the list of files and directories.
In TYPO3, the default .htaccess
already contains the
directive to disable directory indexing. Check if the following is
in your .htaccess
:
# Make sure that directory listings are disabled.
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
This example, does not set all Options
, it just removes Indexes
from the
list of Options. Directory indexing is provided by the module autoindex
.
By setting the options this way, it will be disabled in any case, even if the
module is currently not active but might be activated at a later time.
It is also possible, to configure the Options
in the Apache configuration,
for example:
<IfModule mod_autoindex.c>
<Directory /var/www/myhost/public>
# override all Options, do not activate Indexes for security reasons
Options FollowSymLinks
</Directory>
</IfModule>
Please note that the Options
directive can be
used in several containers (for example <Virtual
, <Directory>
,
in the Apache configuration) or in the file .htaccess
.
Refer to the Options
directive for more information.
Nginx
For Nginx, directory listing is handled by the ngx_
and
directory listing is disabled by default.
You can explicitly disable directory listing by using the parameter
autoindex
.
server {
# ...
location /var/www/myhost/public {
autoindex off;
}
}
IIS
For IIS web servers, directory listing is also disabled by default.
It is possible to disable directory listing in the event it was enabled because of a regression or a configuration change.
For IIS7 and above, it is possible to disable directory listing from the Directory Browsing settings using the IIS manager console.
Alternatively, the following command can be used:
appcmd set config /section:directoryBrowse /enabled:false