Disable directory indexing

Directory indexing allows web servers to list the contents of directories when no default file (like index.html) is present. If enabled, it can expose sensitive file structures to the public or search engines.

This section explains how to disable directory indexing for TYPO3 across common web servers.

Disable indexing in Apache (.htaccess)

This applies to Apache web servers, especially in shared hosting environments where configuration is done via .htaccess files.

In Apache, directory indexing is controlled by the Indexes flag within the Options directive.

TYPO3's default .htaccess disables indexing with the following setting:

/var/www/myhost/public/.htaccess
<IfModule mod_autoindex.c>
  Options -Indexes
</IfModule>
Copied!

Alternatively, set this directly in your Apache site configuration:

/etc/apache2/sites-available/myhost.conf
<IfModule mod_autoindex.c>
  <Directory /var/www/myhost/public>
    Options FollowSymLinks
  </Directory>
</IfModule>
Copied!

See the Apache Options directive documentation for more information.

Disable indexing in Nginx (server block)

This applies to Nginx installations where settings are configured in the server block (virtual host configuration).

Although directory listing is disabled by default in Nginx, you can explicitly disable it by setting autoindex off;:

/etc/nginx/sites-available/myhost.com
server {
  location /var/www/myhost/public {
    autoindex off;
  }
}
Copied!

Disable indexing in IIS (Windows Server)

This applies to IIS web servers on Windows Server systems.

Directory listing is disabled by default. If enabled, you can turn it off using the IIS Manager:

  • Open the Directory Browsing settings
  • Set the feature to Disabled

Or use the command line:

command line
appcmd set config /section:directoryBrowse /enabled:false
Copied!