Preventing Directory Listings

It is a good idea, for security reasons, to prevent visitors to your site from seeing the files in any given directory. While this will not prevent users from accessing the files, it will keep them from knowing what files are there, which does help to some degree. It’s easy to implement such a feature using the .htaccess file.

By adding a single line to your .htaccess file, you can easily alter what you show to visitors of your web site. It’s a simple matter to disable the listing of the index at all, or to only show certain items in the directory listing.

However, your server needs to support the .htaccess file – so if your server does not (Microsoft IIS web servers do not), then this method will not work. There are alternatives to .htaccess for IIS, but this may not work correctly.

To add this line, open your .htaccess file in a text editor. If the file is not there, simply create a new text file with the name .htaccess. Keep in mind that .htaccess is the entire name. There is no “filename” – it is .htaccess, with .htaccess being the whole thing – just an extension, if you are familiar with that terminology. Using a period in the first character means the file is hidden.

Once the file is open, add this line to block all directory listings:

  Options -Indexes

You can also keep the index function turned on but keep particular files from showing up in the index by using a slightly different directive, again in your .htaccess file:

  IndexIgnore *.gif,*.jpg

This example would prevent files with the extension .gif or .jpg from showing up. Using an asterisk all by itself, with no extensions, will keep all files from being listed – effectively the same as the first option, but with a list there. The list is just empty.