---
title: Disable Directory Browsing
impact: MEDIUM
impactDescription: prevents unauthorized file enumeration and system reconnaissance
tags: directory, listing, file-exposure, security, kotlin
---

## Disable Directory Browsing

Directory listing (auto-indexing) allows users to see all files in a directory if an index file is missing. This can expose sensitive configuration files, source code backups, or private user data.

**Incorrect (directory listing enabled):**

```kotlin
// Ktor: Configuring static files without disabling auto-index (if plugin allows it)

// NGINX configuration (if serving static files for your app)
location /static/ {
    autoindex on; // INSECURE: Shows list of files
}
```

**Correct (directory listing disabled):**

```kotlin
// Ktor: Static content doesn't list directories by default
routing {
    static("/static") {
        resources("static")
        // No auto-indexing here
    }
}

// Spring Boot (Disabled by default in embedded Tomcat)
// Ensure no custom configuration enables directory listing.

// NGINX (Secure configuration)
location /static/ {
    autoindex off;
    try_files $uri $uri/ =404;
}

// Use an index file to prevent listing
// Create an empty index.html in every static directory.
```

**Why it matters:**
Exposing a directory structure tells an attacker which files exist, which libraries you use (if `node_modules` or `jar` files are visible), and might reveal "hidden" files like `.env.bak` or `.git/`.

**Tools:** Web server configuration (NGINX/Apache), OWASP ZAP, Nikto, Manual Review
