Spread the word

Thursday, August 28, 2008

How to prevent directory browsing on your Website or Blog

Directory browsing means users can browse the directories of your website or blog. They can see you directory structure can browse that. It means all your directories are open to them and they get a clear idea about your website structure and different folders. This can be a security risk for your site. Suppose users can visit your images directory, your css or js directory on their browser. For wordpress users can see the wp-content directory, the themes, plugins directory. This is not good for your security.



So, its necessary that you should not allow your users to browse directories also, other than web-pages. You can prevent it through a very simple process. Just place an empty file on every directory, where you want to prevent browsing. Name that file as index.html or index.php. And you are done! Now just browse your directories and you will find that your browser is showing you a blank page. It will not show you up your directory contents anymore.

Now you may be thinking that how this is possible in so easy way. So here is the explanation. For any directory it is conventional for Web Servers that they first search for any file named as "index" and show it to the user. If the web server is not able to find any files named as index, then it open the directory in front of the user. So if you are placing an empty file named as index, the web server will show that in the browser, whenever any user will visit that directory. That's saves you from everything. It is that much easy and simple.

2 comments:

Push. said...

thanks a lot i got too worried about a thought about thuis..

Fiji Web Design said...

You can also configure your web server to not allow directory listing.

In Apache, you would edit httpd.conf and add:

Options -Indexes

to the directory you want to limit.

eg:

<Directory />
Options -Indexes
</Directory>

This will stop all directories above the root directory from being auto indexed.

The module responsible for this is mod_autoindex.
Docs: http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html

Post a Comment