How to Fix Directory Listing Enabled on Your Web Server
Directory listing is enabled on your web server, exposing file structures and sensitive files to anyone. Learn how to disable it.
The Problem
Directory listing allows anyone to browse the file structure of your web server by visiting a directory URL that has no index file. This reveals file names, directory structures, backup files, configuration files, and other sensitive content that attackers use for reconnaissance. Even if individual files are not sensitive, the directory structure reveals your application architecture and potential attack targets.
How to Fix
-
1
Disable directory listing in Nginx
In your Nginx server block, ensure autoindex is off (this is the default, but it may have been enabled):server { # ... autoindex off;location / { try_files $uri $uri/ /index.php?$query_string; } }If autoindex on; appears anywhere in your configuration, remove it or change it to off:sudo grep -r 'autoindex on' /etc/nginx/ sudo nginx -t && sudo systemctl reload nginx -
2
Disable directory listing in Apache
Remove the Indexes option from your Apache configuration. In .htaccess:Options -IndexesOr in your Apache virtual host configuration:
<Directory /var/www/yourapp/public> Options -Indexes +FollowSymLinks AllowOverride All </Directory>Restart Apache:
sudo apachectl configtest && sudo systemctl restart apache2 -
3
Add index files to directories that need them
For any directory that should be web-accessible but does not have an index file, add an empty index.html:
touch public/uploads/index.html touch public/assets/index.htmlOr use a PHP redirect:<?php // public/uploads/index.php header('Location: /'); exit;This prevents directory listing even if the server configuration is accidentally changed.
How to Verify
Test directory listing by visiting directories without index files:
curl https://yourdomain.com/css/
curl https://yourdomain.com/js/
curl https://yourdomain.com/storage/You should NOT see an HTML page listing files and directories. You should get either your application page (Laravel catches it), a 403 Forbidden, or a 404 Not Found response.
Prevention
Ensure directory listing is disabled in your server configuration templates. Include Options -Indexes in your .htaccess by default. Test for directory listing as part of your deployment checklist. Use StackShield to monitor for directory listing being enabled after server configuration changes.
Frequently Asked Questions
Is directory listing dangerous even if there are no sensitive files?
Yes. Directory listing reveals your file structure, which helps attackers understand your technology stack, find backup files (*.bak, *.old), discover hidden endpoints, and identify files to target. This reconnaissance information significantly speeds up an attack. Always disable it.
How does Laravel handle directory listing?
Laravel routes all requests through public/index.php, so directory listing is only a concern for directories within the public folder that contain static files (css, js, images, uploads). If a request hits a directory that Nginx/Apache serves directly (not through PHP), directory listing settings apply.
Related Guides
How to Fix an Exposed Laravel Storage Directory
Your Laravel storage directory is publicly accessible, exposing logs, cache files, and uploaded data. Learn how to restrict access.
How to Fix an Exposed .git Directory
Your .git directory is publicly accessible, allowing attackers to download your entire source code and commit history. Fix it now.
How to Fix an Exposed .env File in Laravel
Your Laravel .env file is publicly accessible, exposing database credentials and API keys. Learn how to block access and secure your secrets.
Detect This Automatically with StackShield
StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.
Start Free Trial