Most web servers allow any user to browse the directories (folders) when no index file is available. This can lead to information leakage and help an attacker when trying to compromise your site.
In order to improve your security, you should disable this option. The NIST Guide for Securing Web Servers also recommends it.
Disabling directory browsing on Apache
To disable directory listing on Apache, add the following line to your .htaccess
file:
Options -Indexes
Sucuri customers
Note that all WAF users are already protected against it.
If you have any questions, please contact our research team at research@sucuri.net.
Was this article helpful?