Skip to main content

Directory Listing.

Security Sensitive File Exposure

Reveals your file structure to attackers — shows what to target

What does this check test?

Directory listing occurs when a web server displays the contents of a directory when no index file (e.g., `index.html`) is present. Instead of returning a 403 or 404 error, the server generates an HTML page listing all files and subdirectories. This gives anyone a browsable view of your file structure, including files that were never intended to be directly accessed such as backup files, configuration templates, log files, or database dumps.

Why does it matter?

Directory listing turns a web server into an open file browser for attackers. It reveals the names and modification dates of all files, including backup files (`.bak`, `.old`, `.sql`), configuration files, log files, and temporary files that may contain sensitive data. Attackers do not need to guess file names — they can simply browse. Combined with other vulnerabilities, directory listing can expose source code, database exports, and deployment artifacts that would otherwise remain hidden.

Who is affected?

Any web application served by Apache, Nginx, or IIS where directory listing has not been explicitly disabled is potentially affected. Apache enables directory listing by default via the `Options +Indexes` directive. Development and staging servers are most commonly affected because security hardening is often deferred. Static file hosting services and S3 buckets with directory listing enabled are also frequent targets.

Where does this apply?

Test directories that are unlikely to have an index file: `/images/`, `/uploads/`, `/assets/`, `/backup/`, `/logs/`, `/tmp/`, and `/css/`. A response containing an HTML page with file listings, typically with a title like 'Index of /images', confirms directory listing is enabled. Use automated scanners to check all accessible directories.

How to fix it

Disable directory listing in your server configuration. For Nginx (it is off by default, but verify):
nginx 
autoindex off;  # This is the default, but set it explicitly

Apache

apache 
<Directory /var/www/html>
    Options -Indexes
</Directory>

global Apache configuration, ensure `Options -Indexes` is set in your main config or `.htaccess`

apache 
Options -Indexes
For S3 buckets, disable public listing via bucket policy. Add default index files to directories that should return content, and ensure empty directories return 403 or 404. After disabling, verify by requesting a directory path without a trailing slash to test edge cases.

References

AppVet checks Directory Listing automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks