5

I see that quite often other people's web-site directories have empty html index files (1 file per dir). AFAIK - that's been done to prevent website users from seeing directory content - right?

I usually disable indexing in httpd.conf differently:

<Directory />
   Order Deny,Allow
   Deny from all
   Options None
   AllowOverride None
</Directory>

What would be the reason to create index.html in every web faced directory instead of simply restricting indexing in apache config file?

Stann
  • 523
  • 2
  • 7
  • 16

3 Answers3

12

  1. Httpd config is not always done by the same people as those who write the code / package the web site data. Putting empty index.html is one way to make sure the index is not displayed even if the config is incorrect.

  2. Additionally, it avoids displaying a "forbidden" error message should a user reach the index page, either through manually editing the URL or a broken link. This can be avoided, but it requires some config works, and that's a problem because ... see point 1.

niXar
  • 2,043
  • 17
  • 23
  • 2
    This is good defensive programming. It gives a clean result without exposing the content through auto-indexing. Many more benefits, with little downside other than not logging forbidden accesses. – BillThor Apr 01 '11 at 23:55
2

I think there is no good reason for this. And i don't know people who do this.

Where do you see this? If you disable the indexing its the same and enough.

Edit: There is one reason. When the indexing is enabled and you have no access to the server config to change it.

René Höhle
  • 1,438
  • 3
  • 17
  • 26
  • 1
    +1 - I'd say it is done primarily because of lack of access to the server config (or even .htaccess) over anything else. – Ben Pilbrow Apr 01 '11 at 17:42
2

Maybe because it works everywhere ? Apache, Lighttpd, Nginx, Glassfish, Tomcat, etc.

Kedare
  • 1,786
  • 4
  • 20
  • 37