Tuesday, December 13, 2022

How to Prevent a Directory Listing of Your Website with .htaccess

Here is the article.

How to Prevent a Directory Listing of Your Website with .htaccess

by Christopher Heng, thesitewizard.com

If you create a new directory (or folder) on your website, and do not put an "index.html" file in it, you may be surprised to find that your visitors can get a directory listing of all the files in that folder. For example, if you create a folder called "incoming", you can see everything in that directory simply by typing "http://www.example.com/incoming/" in your browser. No password or anything is needed.

This article shows you how you can configure your web server so that it does not show a directory listing by default.

Prerequisites

  • Your Website Must Be on an Apache Web Server

    For the method described in this article to work, your site should be hosted on an Apache web server. This probably constitutes the majority of websites on the Internet, so it is likely that you satisfy this requirement. In general, if your web server (the computer that your site is running on) is using Linux or FreeBSD, chances are that it's on an Apache server. If your server is using Windows, your website is probably not using Apache. All is not lost, though. You can still accomplish the same thing using a different method. Read How to Prevent a Directory Listing of Your Website Without Using .htaccess instead.

    (Note that I'm talking about the computer hosting your website, not your own personal computer. If you're not sure what type of server your site is on, ask your web host.)

  • Your Web Host Must Have Enabled .htaccess Server Overrides

    In addition to being hosted on an Apache web server, your web host needs to have enabled server overrides. This facility allows you to modify the web server configuration from your own website. In practice, this usually means that your website is hosted on a commercial web host rather than a free one. Free web hosts normally don't allow websites hosted on them to change the web server behaviour.

Both the above conditions must be true, or you won't be able to successfully do the things mentioned in this guide.

Is Protecting Your Directory Listing From View a Security Measure?

Protecting your directories from being listed by your website's visitors does not, in and of itself, make your website more secure. At best, it's security by obscurity. That is, you hope that by hiding stuff from view, nefarious visitors up to no good will not be able to easily list all your files with a single request. It doesn't stop them from directly accessing those files by name.

However, while you should of course implement other measures for securing your site, it's still good practice not to allow your directories to be listed by default. That way, at least, you don't make it too easy for others to survey your site for vulnerabilities. This is especially so if you have third-party scripts on your site (such as, for example, you run a blog).

It's important to realise this, so that you don't rely on this method alone for security.

Steps to Preventing a Directory Listing

  1. Get Your Existing .htaccess File, If Any

    Connect to your website using an FTP or SFTP software. Go to the top web directory of your site, where you place your home page, and look for a file called ".htaccess". If it exists, download it to your computer.

    If it does not exist, make sure that it is not hidden from your view. This has to be done from within your FTP program itself. Depending on which program you use, you may need to look for a setting that says something like "show hidden files". In one program, namely FileZilla, you may have to enable the "Force showing hidden files" line in the Server menu, although in my experience, the program shows it by default.

    Another way to do this is to log into your site from your web host's control panel. Most, if not all, commercial web hosts provide a way for you to view your web directories from your web browser, as well as upload and download files from them. If your web host has an option to "show hidden files" or some such thing, make sure you enable it. From your host's web interface, you should be able to locate and download your existing .htaccess file.

    Don't worry if, after all your efforts, you can't find any .htaccess file in the main web directory. It's quite normal for a website not to have one. You'll just have to create a blank one later. However, if one exists, it's important that you get it, so that we can add to the settings in the file instead of overwriting them.

  2. Make a Backup of the .htaccess File

    If you managed to find and download the .htaccess file from your site, save a backup copy on your own computer. That is, make sure you have 2 copies of the .htaccess file on your computer, the one you are about to modify, and a pristine copy of the original. The backup is useful in case you accidentally make an error later.

  3. Create or Open the .htaccess File

    If you've managed to get the .htaccess file, open it in a plain text editor (eg an ASCII text editor) such as Notepad (for Windows users), and scroll to put your text cursor at the end of the file, on a blank line. If one does not exist, use the editor to create a new blank document. The rest of this article will assume that you have already started the editor with the .htaccess open or with a blank document if no .htaccess file previously existed.

    WARNING: do not use a wordprocessor like Word, Office, or WordPad to create or edit your .htaccess file. You should also not use a WYSIWYG (What-You-See-Is-What-You-Get) web editor for this purpose. If you do either of these things, your site will mysteriously fail to work when you upload the file to your web server. This is very important. There are no exceptions.

  4. Disable Indexing

    Add the following line to your .htaccess file.

    Options -Indexes

    Make sure you hit the ENTER key (or RETURN key if you use a Mac) after entering the "Options -Indexes" words so that the file ends with a blank line.

  5. Saving and Uploading the File

    Once you're done with disabling the directory listing in the .htaccess file, save the file. If your file is a new one, and you're using Notepad, make sure you save it as ".htaccess", quotes and all. If you don't add the quotes, Notepad will add a .txt extension to your filename without telling you. Also, make sure the filename itself is exactly .htaccess, that is, the name starts with a full stop ("period" if you use US English), and is entirely in small letters (lowercase). No other name is acceptable.

    Then upload the file to your web server using an FTP/SFTP program (or with your web host's control panel). If you did not use an FTP program in the earlier step (for example, you used your web host's control panel instead), and don't know how to do so, check out my tutorial on How to Upload a File to Your Website Using the FileZilla FTP Client.

  6. Test Your Site

    Whenever you modify your .htaccess file, you should always check that your website still works after uploading it. I'm not kidding here. The .htaccess controls everything the server does with your site. A slight error can render your entire website unusable. So when I say test your website, you should test not only that a directory without "index.html" can no longer be listed, but also check your main page and a few other pages to make sure that they still load.

    If anything goes wrong, delete the .htaccess file on your website and your site should work again. For those who had an existing .htaccess on the site before, upload the backup copy to the site.

Conclusion

If all goes well, you should get a "Forbidden" error when you try to access a directory that doesn't have an index file.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)