Disable Apache Web Directory Listing Using .htaccess File

When you run a website using Apache web server, it may be possible for a user to access a directory listing of the files in a particular directory. This directory listing can be useful for some purposes, such as when sharing files with a small group of trusted individuals, but in most cases, it's not desirable to have these files accessible to the public.

In this article, we will discuss how to disable Apache web directory listing using the .htaccess file. This method is a quick and easy way to prevent directory listing for a particular directory or set of directories on your website. We will also explain how to create and edit the .htaccess file, which is used to control various aspects of Apache's behavior.

Prerequisites

Before we get started, you will need the following −

• A web server running Apache

• Access to the server's .htaccess file

• Basic knowledge of how to edit files using a text editor

How to Create and Modify .htaccess File

To disable directory listing using .htaccess file, you need to create a new .htaccess file or modify an existing one. The .htaccess file is a hidden file, and it's usually located in the root directory of your website.

To create a new .htaccess file, follow these steps −

• Open any text editor, such as Notepad, Sublime Text, or Visual Studio Code.

• Add the following code to the text editor −

# Disable directory listing Options -Indexes

• Save the file as .htaccess. Note that the file name must start with a dot and not have any other file extension.

Once you've created the .htaccess file, you can upload it to your website's root directory using an FTP client or file manager. If you already have an existing .htaccess file, you can modify it by adding the Options -Indexes directive to the file.

To modify an existing .htaccess file, follow these steps −

• Open the existing .htaccess file using a text editor or FTP client.

• Add the following code to the file −

# Disable directory listing Options -Indexes

• Save the file and upload it to your website's root directory.

Note that any changes made to the .htaccess file will take effect immediately, so there's no need to restart the Apache server.

In addition to disabling directory listing, you can also use the .htaccess file to perform other useful tasks, such as setting custom error pages, redirecting URLs, and restricting access to certain directories. However, it's important to note that improper use of the .htaccess file can also cause issues with your website. Therefore, it's recommended to make a backup of the existing .htaccess file before making any modifications.

Now that your .htaccess file is ready, let’s dive into how you can disable your Apache web directory using it.

Step 1: Open the .htaccess file

The first step is to locate the .htaccess file for the directory you want to disable directory listing for. This file is typically located in the root directory of your website.

Once you've located the file, open it in a text editor of your choice. If you don't have an .htaccess file yet, you can create one by simply creating a new text file and saving it as .htaccess.

Step 2: Add the appropriate configuration

Next, we need to add the appropriate configuration to the .htaccess file to disable directory listing. There are two ways to do this −

Option 1: Use the Options directive

The Options directive allows us to specify various options for a directory, including the ability to disable directory listing. To disable directory listing using the Options directive, add the following line to your .htaccess file −

Options -Indexes

This tells Apache to turn off directory indexing for the current directory and all subdirectories.

Option 2: Use the IndexIgnore directive

The IndexIgnore directive allows us to specify a list of files and directories that should not be included in directory listings. To disable directory listing using the IndexIgnore directive, add the following line to your .htaccess file −

IndexIgnore *

This tells Apache to ignore all files and directories when generating directory listings.

Step 3: Save and upload the .htaccess file

Once you've added the appropriate configuration to your .htaccess file, save the file and upload it to your server. Make sure to upload it to the correct directory – typically the root directory of your website.

Step 4: Test your configuration

To test your configuration, simply navigate to a directory on your website that previously displayed a directory listing. If everything is configured correctly, you should now see a "403 Forbidden" error instead of a directory listing.

How to Disable Directory Listing for All Subdirectories

By default, Apache allows directory listing for all subdirectories of the web root. However, you can disable directory listing for all subdirectories by adding the following line to your .htaccess file −

Options -Indexes

This line disables directory listing for the current directory as well as all subdirectories. If you only want to disable directory listing for certain subdirectories, you can create a separate .htaccess file in each subdirectory and add the Options -Indexes line to those files.

How to Customize the 403 Error Page

When you disable directory listing, users who try to access a directory that doesn't have an index file will receive a 403 Forbidden error. By default, Apache displays a generic 403 error page, but you can customize this page to provide more information to users.

To customize the 403 error page, you can create a new file named .htaccess and add the following lines −

ErrorDocument 403 /custom-error-page.html

This will tell Apache to use the custom-error-page.html file as the error page for 403 errors. You can create this file in the web root or any subdirectory and customize it with your own HTML and CSS.

How to Disable Directory Listing in the Apache Config File

If you have access to the Apache configuration file, you can also disable directory listing by adding the following line to the <Directory> section for your web root −

Options -Indexes

This will disable directory listing for the entire web root, including all subdirectories. If you only want to disable directory listing for certain subdirectories, you can add separate <Directory> sections for those directories and add the Options -Indexes line to those sections.

Conclusion

Disabling directory listing is an important security measure for any website, as it prevents attackers from easily accessing and downloading sensitive files. By adding a simple line to your .htaccess file, you can easily disable directory listing for your entire website or just certain directories. And by customizing the 403 error page, you can provide a more informative message to users who try to access directories that don't have an index file.