Skip to content
Administrator Tips icon

Turn Off Directory Listing

In this tutorial you will learn why you should turn off directory listing in your server space.

Have you ever wondered why Mambo includes index.html files in every directory? Have you ever opened one of these files to see what it contains? If you have, you will have seen that there is a simple line of code setting the background colour of the page. That's it. So, what to these files do?

If someone browses to a directory on your Mambo web site the index.html page will load into the browser and they get so see - nothing! That is the sole purpose of those files.

While some web hosts disable directory listing by default, many don't bother. This means that human visitors and search engine robots may be presented with a directory listing of all of the files within the unprotected server space. Below is a screenshot of one site that has directory listing on:

As you can see, the files are exposed to view. This is potentially a serious security risk and it also has privacy implications. The owner of the site I just saw probably has no idea that their files can be viewed and downloaded right from the directories.

If directory listing is turned on the site's structure can be viewed, site information is given, and files that may contain sensitive data can be read on the browser and downloaded. They can also be crawled by search engines.

Mambo includes the index.html files to prevent anyone from seeing your files. However, not all extensions include these safety measures. If you were unaware of the need for protecting your directories you may have added some unprotected directories yourself. Image and download directories are often overlooked by site owners. Luckily, this is easy to fix if you are able to run .htaccess on your site.

Turning Off Directory Listings Using .htaccess

If you are already using a .htaccess file at your site root (which you will be if you are using the Mambo SEF URL's option), open that file and add the following directive:

Options All -Indexes

It is usually best to add this before any other directives.

If you are not yet using .htaccess you can either create your own with just that one directive in it, or rename the Mambo htaccess.txt and use that.

The directive turns off directory listing for the site root and for all directories under it. While this makes the Mambo index.html files redundant it does no harm to leave them sitting in your directories. If you manage your own server you can turn off directory listing through httpd.conf.

Bookmark This:
  • bodytext
  • Technorati
  • del.icio.us
  • Facebook
  • Google
  • StumbleUpon
  • Reddit

Posted on 18 06 2008 in Administrator Tips
Tagged as , , , , ,

You can post a comment or trackback from your blog.

Whether I am developing Mambo or working on tutorials I am fuelled by coffee. Caffeine keeps me going so if you like the work I am doing please click on the cup to buy me a coffee today. Just $10 covers the cost of getting my caramel macchiato ;)

If you enjoyed this article make sure you subscribe to my RSS feed!

One Response to “ Turn Off Directory Listing ”

Seth said on: June 19th, 2008 at 7:45 pm

To disable "directory browsing" in IIS…
1.) Click on "Start" -> "Programs" -> "Administrative Tools" -> "Internet Information Services".
2.) Navigate to your Default Web Site in the left pane, right-click on it, and choose "Properties".
3.) Click on the Home Directory tab.
4.) Look for the CheckBox named “Directory Browsing” - uncheck it.


Leave a Reply

This is a gravatar-friendly site, enter your email address to use your gravatar.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.

Pages

Most Popular Tutorials

Useful Links

Recent Comments