Website Vulnerabilities: How to Disable Directory Listing and Why It’s Crucial for Security

June 2, 2023

When directory listing is enabled, unintended files may become publicly accessible, increasing the risk of information leaks. In Nginx, directory listing is controlled by the autoindex directive, which can sometimes be unintentionally enabled. This guide explains how to check if directory listing is enabled, why it’s a security risk, and how to disable it in Nginx. Protect your website with this essential security practice.

Table of Contents

How to Check if Directory Listing is Enabled
Security Risks of Directory Listing
How to Disable Directory Listing in Nginx

How to Check if Directory Listing is Enabled

There are primarily three methods to verify if directory listing is enabled on your website. The first is accessing via a URL pattern, the second uses the Curl command, and the third involves vulnerability scanning tools. Below, we'll explore each method.

Checking via URL Pattern

To verify if directory listing is enabled via URL, follow these steps:

Access your website through a browser.
Append a slash (/) at the end of your URL, e.g., http://example.com/.
If a directory page appears, directory listing is enabled, showing a list of files and directories.
If no page appears, directory listing is disabled.

Checking Using Curl Command

Use the following Curl command:

curl -s -o /dev/null -I -w "%{http_code}" http://example.com/

Replace http://example.com/ with your website URL. If directory listing is enabled, it will return an HTTP status code "200". If disabled, you'll see "403" (Forbidden) or "404" (Not Found).

Another method involves using vulnerability scanning tools to verify directory listing status.

Security Risks of Directory Listing

If directory listing is enabled, the files and directories on your website may be publicly accessible, presenting several security risks:

Exposure of Sensitive Information: Files that should remain confidential may be inadvertently exposed, leaking sensitive data externally.
Website Structure Exposure: Attackers can easily understand your website’s structure, making it easier to target specific vulnerabilities or critical files.
Ease of Navigation for Attackers: Attackers can easily traverse the file system, potentially accessing files outside the root directory, compromising important or confidential information.
Enhanced Attack Planning: Attackers gain insights into your internal website structure and available files, enabling more targeted and effective attacks.

Keeping directory listing enabled significantly elevates these risks. Therefore, disabling directory listing is crucial for strengthening your website’s security and preventing unintended information leakage.

Example

If directory listing is enabled, files and folders on your server might become accessible as shown below:

In the illustrated example, even folders like "Secret," which should not be publicly accessible, become easily viewable by anyone through direct URLs.

If using a CMS, non-public folders or files could become externally accessible. Sensitive files managed through the administration panel might inadvertently become publicly viewable.

Thus, enabling directory listing substantially increases information leakage risks.

How to Disable Directory Listing in Nginx

Below is how to disable directory listing in Nginx:

Open the /etc/nginx/nginx.conf file, locate the location / directive within the server block, and add autoindex off;. If autoindex on; is already present, simply change it to autoindex off;.

Before Change:

server {
        listen   80;
        server_name  domain.com www.domain.com;
        location / {
               autoindex on; # Change this
        }
 }

After Change:

server {
        listen   80;
        server_name  domain.com www.domain.com;
        location / {
               autoindex off; # Changed
        }
 }

This prevents external users from browsing directory contents.

After updating, verify by accessing your domain again with the trailing /. If the directory listing no longer appears, the configuration change was successful, and your website’s non-public information is now secured from external viewing.

【Vulnerability】related contents

🇯🇵🔓Japan Data Breach Cases 2025 | Major Data Leaks, Cyber Attacks, and Countermeasures

Japan’s Innovation Agency Hacked – 7,600 Records Leaked – Maybe They Should Innovate a Firewall?

Ransomware Knocks Out Japanese Clinic – 300,000 Patient Records Exposed

Website Vulnerability: Absence of the X-Frame-Options Header

Website Vulnerability: Absence of the X-Content-Type-Options Header

There are other articles

What is the Active Cyber Defense Law? A New Legal Framework…

In recent years, cyber-attacks have become increasingly sophisticated, posing significant threats to companies, government agencies, and individuals alike. In response, the Japanese government is considering the "Activ…

Feb. 6, 2025

Website Vulnerabilities: Using an Outdated and Vulnerable N…

Running a vulnerable Nginx version exposes your website to potential attacks and exploits. This guide explains the risks of outdated Nginx versions and provides actionable steps to check your current version and update to a…

July 28, 2023

Website Vulnerabilities: Exposed Nginx Version and Its Secu…

When your Nginx version is publicly visible, it can reveal critical information to attackers, increasing the risk of targeted exploits. Learn how to check if your Nginx version is exposed, understand the associated security…

July 28, 2023

Website Vulnerabilities: Missing Subresource Integrity (SRI…

Without Subresource Integrity (SRI), your website is at risk of executing malicious code if external resources are tampered with. This can compromise user security, damage trust in your site, and expose sensitive data. Lear…

May 31, 2023

IPv6 Configuration Guide: How to Set Up IPv6 on Nginx and I…

Configuring IPv6 on Nginx is simple: just add [::]: before the port number in your server configuration file, such as [::]:80 or [::]:443. This guide provides detailed steps and explai…

March 14, 2024

SSL 3.0 Enabled: A Website Vulnerability You Must Address

To disable SSL 3.0 on your server, the solution is simple: for Nginx, exclude "SSLv3" in the ssl_protocols directive; for Apache, explicitly add -SSLv3 in the SSLProtocol dir…

March 17, 2024

Website Vulnerabilities: How to Enable HSTS and Why It’s Es…

Without HSTS, your website may not automatically redirect HTTP traffic to HTTPS, exposing users to potential data breaches through downgraded connections. This weakens HTTPS security and leaves your site vulnerable. Learn w…

May 30, 2023

Website Vulnerabilities: How to Set Up HTTPS Redirects and …

HTTPS is a critical security measure for modern websites. Without proper HTTPS redirects, users can still access your site via HTTP, exposing sensitive data to potential risks. This article explains the risks of missing HTT…

May 31, 2023

Website Vulnerabilities: How to Disable TLS 1.1 and Why It …

Learn how to disable TLS 1.1 and transition to modern TLS versions. This guide explains the vulnerabilities and compatibility issues of TLS 1.1 and provides step-by-step instructions for configuring TLS 1.2 or TLS 1.3. Expl…

May 31, 2023

Website Vulnerabilities: How to Disable TLS 1.0 and Why It …

This article provides a detailed guide on disabling TLS 1.0 and transitioning to modern security protocols. Learn about the vulnerabilities and risks of TLS 1.0, step-by-step instructions for disabling it on Nginx, and best…