How to Disable Directory Listing: A Practical Guide for Web Servers in 2026

Written by: Abigail Ivy
Published on:

What Directory Listing Is and Why It Matters

Directory listing happens when a web server shows the contents of a folder instead of serving a default page.

If an index file is missing, visitors can see filenames, folder structures, and sometimes downloadable assets, which can expose unnecessary information.

Knowing how to disable directory listing is a basic server hardening step for Apache, Nginx, Microsoft IIS, and many control-panel-based hosting environments.

It helps reduce information leakage, improves professionalism, and limits the chance that sensitive paths or old files are discovered by automated scanners.

How Directory Listing Works

Most web servers look for a default index file such as index.html, index.php, or default.aspx.

When no index file exists and directory browsing is enabled, the server may generate an HTML page that lists files in that folder.

This behavior is useful in limited cases, such as internal file repositories or public downloads, but it is usually undesirable on production websites.

Search engines, security tools, and curious users can all browse the exposed directory tree if it is left open.

Why You Should Disable Directory Listing

  • Reduces information disclosure: File names often reveal frameworks, backup copies, logs, or configuration patterns.
  • Limits reconnaissance: Attackers use directory listings to map applications and identify weak points.
  • Protects accidental uploads: Misplaced archives, database dumps, and test files are easier to find when browsing is enabled.
  • Improves user experience: Visitors should see a proper page, not a raw file index.
  • Supports compliance and security policies: Many hardening baselines recommend turning off directory browsing by default.

How to Disable Directory Listing on Apache

On Apache HTTP Server, directory listing is typically controlled by the Options directive.

The most common approach is to disable Indexes at the directory or virtual host level.

Options -Indexes

You can add this in an .htaccess file if your hosting provider allows overrides, or place it in the relevant <Directory> block in the Apache configuration file.

<Directory /var/www/html>
    Options -Indexes
</Directory>

If you want to keep other options enabled while only removing directory browsing, use -Indexes rather than replacing the full Options line.

After saving changes, reload or restart Apache so the configuration takes effect.

If directory listing still appears, verify that .htaccess processing is enabled with AllowOverride, and confirm that no conflicting directory-level rule is re-enabling indexes in a parent path.

How to Disable Directory Listing on Nginx

Nginx controls directory browsing through the autoindex directive.

By default, it is usually off, but administrators sometimes enable it for download directories or testing environments.

location /downloads/ {
    autoindex off;
}

To disable directory listing globally for a server block, set autoindex off in the relevant server or location context.

If a site is already exposing listings, also check for inherited configuration from included files or nested locations.

To ensure users reach a landing page instead of a raw directory, configure an index file and confirm the index directive includes the correct default document:

index index.html index.htm index.php;

How to Disable Directory Listing on Microsoft IIS

On Internet Information Services, directory browsing is managed through the IIS Manager or web.config.

In the GUI, open the site or application, select Directory Browsing, and choose Disable.

If you prefer configuration files, use a web.config entry like this:

<configuration>
  <system.webServer>
    <directoryBrowse enabled="false" />
  </system.webServer>
</configuration>

IIS also depends on default documents.

Under Default Document, make sure the correct start page is listed, such as default.htm or index.html, so requests do not fall back to folder browsing.

How to Disable Directory Listing on Shared Hosting

Many shared hosting platforms use Apache or LiteSpeed and provide access through cPanel, Plesk, or a file manager.

In these environments, you may not have full server access, but you can often disable directory listing with a small configuration file.

In cPanel, look for Indexes or Directory Privacy.

If your host supports .htaccess, add Options -Indexes to the root of the affected directory.

For Plesk, the setting may appear under hosting settings or Apache & nginx configuration.

When the control panel does not expose the setting directly, check your host’s documentation.

Some providers also let support apply the change at the server level if your site folder is still showing file indexes.

Best Practices After You Disable It

  • Add default index files: Make sure every public directory has an expected landing page.
  • Audit uploads folders: User-upload directories should not reveal internal structure or temporary files.
  • Remove backups and archives: Files such as .zip, .sql, and old deployment packages should not remain in public web roots.
  • Review permissions: Directory browsing is only one layer; file permissions and ownership matter too.
  • Test after deployment: Open key directories in a browser and confirm the server returns a normal page or a 403/404 response.

How to Test Whether Directory Listing Is Still Enabled?

After changing configuration, visit a folder URL that does not contain an index file, such as a test subdirectory.

If the server shows a file list, directory browsing is still active.

If it returns a forbidden or not found response, or serves a default page, the setting is working.

You can also use command-line tools like curl to inspect the response headers and verify that the server is no longer presenting an auto-generated index page.

Security scanners and vulnerability assessment tools often flag directory listing automatically, so re-running your checks is a good validation step.

Common Mistakes When Disabling Directory Listing

  • Editing the wrong directory: Configuration in a parent folder may override the setting you changed.
  • Forgetting inherited rules: Apache and Nginx can inherit behavior from included configuration files.
  • Leaving a public test folder exposed: A disabled index does not secure sensitive content if files remain accessible directly.
  • Assuming HTTPS solves it: TLS protects transport, not folder visibility.
  • Not deploying index files: Even with browsing disabled, missing default documents can still create poor user experience or errors.

When Directory Listing Can Be Appropriate

There are a few legitimate cases for enabling directory listing, such as public file repositories, software mirrors, or temporary staging areas used by internal teams.

Even then, access should be restricted, monitored, and limited to the directories that truly need it.

For most production websites, however, the safer default is to disable directory listing everywhere and selectively enable it only where a business case exists.

That approach aligns with the principle of least privilege and reduces avoidable exposure across the web server stack.