deny directory listing with htaccess

Question

I have a folder, for example : /public_html/Davood/ and too many sub folder in folder, for example : /public_html/Davood/Test1/ , /public_html/Davood/Test1/Test/ , /public_html/Davood/Test2/ , ...

I want add a htaccess file into /public_html/Davood/ To deny DirectoryListing In /Davood And Sub Folders, It's Possible ?

I don't see why `Options All -Indexes` didn't work as in few answers! — Fr0zenFyr, Jun 02 '17 at 08:30
@Fr0zenFyr it's depend to webserver configuration, if `AllowOverride All`, works — DJafari, Jun 04 '17 at 12:27
`Options -Indexes` is the good solution. But there are multiple other solutions you can use with htaccess to deny directory listing .. see here https://helponnet.com/2021/07/29/apache-disable-directory-listing/ — Amit Verma, Aug 15 '21 at 03:41

score 160 · Accepted Answer · answered May 11 '11 at 23:26

160

Options -Indexes should work to prevent directory listings.

If you are using a .htaccess file make sure you have at least the "allowoverride options" setting in your main apache config file.

answered May 11 '11 at 23:26

PPC-Coder

3,522
2
21
30

1

this doesnt change anything – MinhajulAnwar Sep 20 '15 at 02:41

score 97 · Answer 2 · answered May 09 '11 at 05:15

97

Try adding this to the .htaccess file in that directory.

Options -Indexes

This has more information.

answered May 09 '11 at 05:15

Bryan Drewery

2,569
19
13

1

Yeah I thought -Indexes disabled directory listings, instead it blocks all content from the folder ... Does anyone know why? – Michael Fever Mar 05 '15 at 16:04
All I can think is there's some problem with server config. Try enabling `rewrite` module, and directory setting to `AllowOverride All`. If all that is already in place, and what you commented is true, I must be just too lucky to get `Options All -Indexes` to work in every project on different servers. – Fr0zenFyr Jun 02 '17 at 08:37
If there is just `Options -Indexes` it might be error 500 in some servers. There should have some condition (`if`) to prevent this. – vee Aug 19 '21 at 08:26

score 36 · Answer 3 · answered May 11 '11 at 23:57

If Options -Indexes does not work as Bryan Drewery suggested, you could write a recursive method to create blank index.php files.

Place this inside of your base folder you wish to protect, you can name it whatever (I would recommend index.php)

<?php

recurse(".");

function recurse($path){
    foreach(scandir($path) as $o){
        if($o != "." && $o != ".."){
            $full = $path . "/" . $o;
            if(is_dir($full)){
                if(!file_exists($full . "/index.php")){
                    file_put_contents($full . "/index.php", "");
                }
                recurse($full);
            }
        }
    }
}

?>

These blank index.php files can be easily deleted or overwritten, and they'll keep your directories from being listable.

Although an empty file is not that big of a deal, a better solution might be to use [symbolic links](http://php.net/manual/en/function.symlink.php), that way it saves a bit of space, and he would only need to modify 1 file if he chose to display some sort of uniform message instead of a blank page. — daalbert, May 17 '11 at 19:39

score 28 · Answer 4 · edited Oct 14 '17 at 09:50

28

For showing Forbidden error then include these lines in your .htaccess file:

Options -Indexes

If we want to index our files and showing them with some information, then use:

IndexOptions -FancyIndexing

If we want for some particular extension not to show, then:

IndexIgnore *.zip *.css

edited Oct 14 '17 at 09:50

FAjir

4,384
2
26
30

answered Nov 24 '13 at 06:32

Vivek

1,446
18
27

.htaccess in root directory. – Abhishek Mishra Sep 17 '21 at 07:33

score 22 · Answer 5 · answered Feb 14 '19 at 17:34

Options -Indexes perfectly works for me ,

here is .htaccess file :

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes <---- This Works for Me :)
    </IfModule>


   ....etc stuff

</IfModule>

Before :

After :

score 15 · Answer 6 · answered Oct 18 '17 at 13:55

15

There are two ways :

using .htaccess : Options -Indexes
create blank index.html

answered Oct 18 '17 at 13:55

Cakka

322
2
7

score 6 · Answer 7 · answered Oct 02 '15 at 09:09

6

Options -Indexes

I have to try create .htaccess file that current directory that i want to disallow directory index listing. But, sorry i don't know about recursive in .htaccess code.

Try it.

answered Oct 02 '15 at 09:09

Jersey William

61
1
2

score 4 · Answer 8 · answered Feb 05 '17 at 19:36

4

Agree that

Options -Indexes

should work if the main server is configured to allow option overrides, but if not, this will hide all files from the listing (so every directory appears empty):

IndexIgnore *

answered Feb 05 '17 at 19:36

dashrb

952
4
10

Amit Verma · Answer 9 · 2017-02-08T09:56:17.473

Options -Indexes returns a 403 forbidden error for a protected directory. The same behaviour can be achived by using the following Redirect in htaccess :

RedirectMatch 403 ^/folder/?$

This will return a forbidden error for example.com/folder/ .

You can also use mod-rewrite to forbid a request for folder.

RewriteEngine on

RewriteRule ^folder/?$ - [F]

If your htaccess is in the folder that you are going to forbid , change RewriteRule's pattern from ^folder/?$ to ^$ .

deny directory listing with htaccess

9 Answers9

Linked

Related