---
title: Disable Directory Browsing
impact: MEDIUM
impactDescription: prevents file enumeration and exposure of sensitive file structures
tags: directory, listing, file-exposure, security, php
---

## Disable Directory Browsing

Directory browsing (or directory listing) allows users to see all files inside a folder if no index file (like `index.php` or `index.html`) is present. This can expose sensitive files, source code backups, or temporary files to attackers.

**Incorrect (directory listing enabled):**

```apache
# Apache default behavior often allows listing
# Requests to /uploads/ show all files
```

**Correct (directory listing disabled):**

```apache
# 1. Apache (.htaccess)
Options -Indexes

# 2. Nginx
location / {
    autoindex off;
}

# 3. Application level (Common PHP trick)
# Place an empty index.php in sensitive folders like /uploads or /storage
<?php // Silence is golden
```

**Best Practices for PHP Applications:**
- **Public Directory**: Only the `public` folder of your application should be accessible via the web server. All other code (`app`, `vendor`, `.env`) should be outside the web root.
- **Index File**: Ensure every publicly accessible directory has an `index.php` or `index.html` file to prevent listing if server configuration fails.
- **.htaccess**: Include `Options -Indexes` in your root `.htaccess` file if using Apache.

**Tools:** Web Server Configuration (Nginx/Apache), OWASP ZAP (to detect enabled directory listing), Manual Browser Testing