Directory Listing Enabled

When a web server receives a request for a directory URL without a default index file (index.html, index.php), it may list the directory contents — exposing backup files, configuration files, source code, and sensitive data.

What directory listing reveals:

• Backup files: config.php.bak, database.sql
• Source code not meant to be public
• Configuration files: .env, web.config
• Log files with system information
• User-uploaded files that should be access-controlled

How to detect:

GET /uploads/ HTTP/1.1
# If directory listing is enabled, server returns HTML with file list:
Index of /uploads/
  user-passport-scan.pdf
  salary-report-2023.xlsx
  internal-project-specs.docx

Automated scanners and web crawlers actively look for directories without index files to trigger listing. This is a common finding in penetration tests.

Directory listing must be explicitly disabled in web server configuration. Most servers default to off, but configuration mistakes enable it.

Nginx — disable autoindex:

server {
  # Global default — disabled
  autoindex off;

  location / {
    # Do not enable autoindex here
    try_files $uri $uri/ =404;  # Return 404 for directories without index
  }

  # Never add this:
  # location /uploads/ { autoindex on; }  # ← Dangerous!
}

Apache — disable autoindex:

# In httpd.conf or .htaccess
Options -Indexes  # Remove Indexes from the Options list

# Or for specific directories:
<Directory "/var/www/html/uploads">
  Options -Indexes
</Directory>

Defense checklist:

• Set autoindex off globally in Nginx
• Use Options -Indexes in Apache
• Ensure every publicly accessible directory has an index file or returns 403
• Store sensitive uploads outside the web root directory
• Use access control lists for user-uploaded files via application logic