Sucuri Docs > Warnings > Hardening > Disable Directory Listing

Disable Directory Listing

Most web servers allow any user to browse the directories (folders) when no index file is available. This can lead to information leakage and help an attacker when trying to compromise your site.

In order to improve your security, you should disable this option. The NIST Guide for Securing Web Servers also recommends it.

Disabling directory browsing on Apache

To disable directory listing on Apache, add the following line to your .htaccess file:

Options -Indexes

Sucuri customers

Note that all WAF users are already protected against it.

If you have any questions, please contact our research team at research@sucuri.net.

Was this article helpful?