# Disable Directory Listing in Apache & Nginx: Fix Options +Indexes Exposure

> Directory listing (Options +Indexes) lets anyone browse your file structure. Here is how to disable it in Apache .htaccess and Nginx, and verify the fix.

**Severity:** medium | **Category:** Infrastructure Security

---

## The Issue

Directory listing allows anyone to browse the file structure of your web server by visiting a directory URL that has no index file. This reveals file names, directory structures, backup files, configuration files, and other sensitive content that attackers use for reconnaissance. Even if individual files are not sensitive, the directory structure reveals your application architecture and potential attack targets.

## Steps to Fix

### 1. Disable directory listing in Nginx

In your Nginx server block, ensure autoindex is off (this is the default, but it may have been enabled):

server {
    # ...
    autoindex off;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
}

If autoindex on; appears anywhere in your configuration, remove it or change it to off:

sudo grep -r 'autoindex on' /etc/nginx/
sudo nginx -t && sudo systemctl reload nginx

### 2. Disable directory listing in Apache

Remove the Indexes option from your Apache configuration. In .htaccess:

Options -Indexes

Or in your Apache virtual host configuration:

<Directory /var/www/yourapp/public>
    Options -Indexes +FollowSymLinks
    AllowOverride All
</Directory>

Restart Apache:

sudo apachectl configtest && sudo systemctl restart apache2

### 3. Add index files to directories that need them

For any directory that should be web-accessible but does not have an index file, add an empty index.html:

touch public/uploads/index.html
touch public/assets/index.html

Or use a PHP redirect:

<?php
// public/uploads/index.php
header('Location: /');
exit;

This prevents directory listing even if the server configuration is accidentally changed.

## Verification

Test directory listing by visiting directories without index files:

curl https://yourdomain.com/css/
curl https://yourdomain.com/js/
curl https://yourdomain.com/storage/

You should NOT see an HTML page listing files and directories. You should get either your application page (Laravel catches it), a 403 Forbidden, or a 404 Not Found response.

## Prevention

Ensure directory listing is disabled in your server configuration templates. Include Options -Indexes in your .htaccess by default. Test for directory listing as part of your deployment checklist. Use StackShield to monitor for directory listing being enabled after server configuration changes.

---

## Frequently Asked Questions

### Is directory listing dangerous even if there are no sensitive files?

Yes. Directory listing reveals your file structure, which helps attackers understand your technology stack, find backup files (*.bak, *.old), discover hidden endpoints, and identify files to target. This reconnaissance information significantly speeds up an attack. Always disable it.

### How does Laravel handle directory listing?

Laravel routes all requests through public/index.php, so directory listing is only a concern for directories within the public folder that contain static files (css, js, images, uploads). If a request hits a directory that Nginx/Apache serves directly (not through PHP), directory listing settings apply.