What is Directory Listing?

Directory listing, also known as folder listing or directory index, is a feature provided by web servers to display the contents of a directory (folder) on a website when an index file (such as index.html or index.php) is not present. When a web server receives a request for a directory without a specified resource (e.g., a specific HTML file), it can generate a directory listing page that shows the files and subdirectories contained within that directory.

What includes Directory Listing?

Directory listing typically includes the following information:

  1. List of Files: It displays the names of files and subdirectories within the requested directory.
  2. File Sizes: The sizes of files in the directory are often shown, indicating how much space each file occupies.
  3. Modification Dates: The date and time when each file was last modified is commonly listed.
  4. Links: Hyperlinks to files and subdirectories, allowing users to navigate through the directory structure.
  5. Parent Directory Link: A link to the parent directory, enabling users to move up one level in the directory structure.

Why is Directory Listing could be dangerous?

Enabling directory listing on a web server can be dangerous for several reasons:

  1. Exposure of Sensitive Information: Directory listing can reveal the structure of a website and the names of files and directories within it. This can expose sensitive information and potentially confidential data to anyone who accesses the directory listing. For example, it might reveal configuration files, databases, or other resources that should remain hidden.
  2. Security Risks: When an attacker can see the file structure of a website, it becomes easier for them to identify potential vulnerabilities or targets for exploitation. This can lead to security breaches, unauthorized access, and data theft.
  3. Information Gathering for Attackers: Directory listing makes it easier for malicious actors to conduct reconnaissance on a website, gaining insights into the technology stack, the organization’s file structure, and potential attack vectors. This information can be leveraged in various types of cyberattacks.
  4. Reduced Privacy: Website visitors may inadvertently access directories containing personal or sensitive information, violating privacy and potentially leading to legal and compliance issues.
  5. Poor User Experience: From a user experience perspective, directory listings can be confusing and overwhelming for visitors who expect to see a well-structured website. It can make navigation more difficult and lead to a suboptimal user experience.

To mitigate these risks, it is generally recommended to disable directory listing on a web server and use an index file (such as index.html) to provide a controlled and user-friendly interface for website visitors. This allows administrators to maintain better control over what is exposed to the public and helps protect the security and privacy of both the website and its users. Additionally, web server configurations and security practices should be in place to ensure that directory listing remains disabled to prevent accidental exposure.

Instructions for disabling Directory Listing

Disabling directory listing on Tomcat

In the latest versions, the Tomcat directory listing is already disabled. However, if you discovered enabled Directory Listing here is the way to disable it:

To disable directory listing in Tomcat, edit the conf/web.xml file in the directory where’s it installed and change the value of the listings parameter from true to false.

<servlet>
     <servlet-name>default</servlet-name>
     <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
     <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
     </init-param>
     <init-param>
          <param-name>listings</param-name>
          <param-value>false</param-value>
     </init-param>
     <load-on-startup>1</load-on-startup>
</servlet>

Find the listing part of the <param-name> value in the <init-param> tag. As you can imagine, <param-value> is the determining factor for us in this section. If this field is true and you want to disable directory listing, change this field to false.

Disabling Directory Listing on Specific Server Tomcat

Open the web.xml for the relevant web project and add the following code:

 <servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping><servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

Disabling directory listing on Nginx

Nginx, a web server, uses a module called ngx_http_index_module to control directory listings. By default, Nginx doesn’t show directory listings. But if it’s turned on accidentally due to a mistake or changes in settings, you can turn it off. You do this by using a setting called "autoindex" along with the "location" part of the Nginx configuration.

The default configuration file of a Nginx server is called nginx.conf and can be found in /usr/local/nginx/conf, /etc/nginx or /usr/local/etc/nginx. If the default value has been changed, you can see a setting similar to the following:

server {
        listen   80;
        server_name  domain.com www.domain.com;
        access_log  /var/...........................;
        root   /path/to/root;
        location / {
                index  index.php index.html index.htm;
        }
        location /somedir {
               autoindex on;
        }
 }

In this part, we use the "autoindex on;" parameter, as we discussed earlier. In the example above, we’ve set up directory listing specifically for the "somedir" directory. If you want this rule to apply to all folders, you can do so by not specifying a directory (e.g., "location / {autoindex on;}").

To turn off directory listing, change the "autoindex" value to "off". And remember to restart the Nginx service for the changes to take effect by running the following command:

service nginx restart

This will make sure that the new settings are applied.


Disabling directory listing on LiteSpeed

Like other web servers, such as Apache and Nginx, you can also disable directory listing in LiteSpeed web server and website levels.

Disable on Server Level:

Server Configuration -> Scroll Down to Index Files section -> Set ‘Auto Index’ to No

Disable on VHost Levels:

Virtual Host -> Choose Host -> General -> Scroll Down to Index Files section -> Set ‘Auto Index’ to No

Now you can make Graceful Restart.


Disabling directory listing on Lighttpd

By default, a Lighttpd web server doesn’t show directory listings. But if it’s turned on by mistake or changes in settings, you can turn it off. You do this by editing the "dirlisting.conf" file. You can find this configuration file for the "mod_dirlisting" module at "/etc/lighttpd/conf.d/dirlisting.conf."

To disable directory listing on the server, you must replace the related line with the following:

dir-listing.activate = “disable”

If you want to enable directory listing for a particular directory, you must make the following changes in the configuration file specifically for that directory:

$HTTP[“url”] =~ “^/download($|/)” {  dir-listing.activate = “enable”  }

Disabling directory listing on IIS

Directory listing is usually turned off by default on an IIS web server. However, if it gets accidentally turned on due to a mistake or changes in settings, you can easily turn it off. If you’re using IIS 7 or a newer version, you can do this by going to the Directory Browsing settings in the IIS manager console.

Or else you can execute the following command in the command line:

appcmd set config /section:directoryBrowse /enabled:false

Disabling directory listing on Apache

To disable directory listing on an Apache web server, you typically create a .htaccess file in the directory where you want to disable directory listings. You can add the following lines to the .htaccess file, or you can add these lines to the Apache server configuration file (httpd.conf) or a virtual host configuration. These lines prevent directory listings:

Options -Indexes

This configuration tells Apache not to generate directory listings when a user accesses a directory without specifying a specific file (e.g., “http://example.com/my-directory/“). Instead, it will return a "403 Forbidden" error.

Please note that modifying the httpd.conf file or the Apache server configuration requires administrative access to the server, while using .htaccess files can often be done at the directory level by website owners or administrators.



Disabling directory listing is crucial for security, privacy, and a better user experience. It prevents the exposure of sensitive information, enhances privacy, and reduces the risk of security breaches. It’s a standard security practice recommended for web servers.