Last Updated on July 29, 2021 by Amit

This article explains how to prevent or block directory listing on Apache web server using an htaccess and server.config files.

What is directory listing or directory browsing

When you request an existent directory on Apache an index file is served but if your directory doesn’t have an index file then Apache shows a list of files and folders. This is called directory listing .
The listing looks something like the following screenshot on Linux

By default Apache server shows an index file if it exists in the requested directory but if it doesn’t then the listing of all files and folders is shown.

An index file is the file that has a name starting with index . For example index.html , index.php etc.
If your folder doesn’t have an index file and you want to prevent the listing of files/folders then there are multiple ways to achieve this using a few lines of code in htaccess and server configuration file.
If you don’t have access to the main configuration file then you can use your htaccess. The solutions I am going to provide here work on both contexts.

Prevent directory listing on Apache web server using htaccess

Solution #1

The solution #1 is really simple. If you want to show a 403 error when your directory URL is accessed , you can just put the following line in your htaccess :

Options -Indexes

This two words line does the magic. It tells Apache to show a 403 forbidden error to clients when they request an existent directory . There are also some other ways to handle your direct directory access. See the examples below in the next section.

Block directory listing and set a specific file as index

Solution #2

To prevent directory listing on your server by setting a custom index file, you can use DirectoryIndex directive. This is one of the simplest and the easiest way to hide your files and folders . This directive is part of Apache directory module a module that is especially designed for directories on Apache.
I prefer this solution because it’s very easy to implement and just a single line of code can do the magic.
This directive is available for use in htaccess and server configuration. Since the directory uses same syntax on both contexts , I will show you an htaccess example here.

The following is the line you can use or update your htaccess with :

DirectoryIndex file.php

One liner.. very simple!
The line above instructs your server to show contents of file.php when a browser requests /directory/ .

file.php can be any file of your choice that you want to set as directory index.

An invisible redirection of URLs from /directory/ to file.php is performed by DirectoryIndex . By invisible here I mean you won’t be able to see the URL change in your web browser so the requested URL path /directory/ will show you the contents from file.php .

If you want the URL path to change from /directory/ to /directory/file.php then you can use DirectoryIndex Redirect along with the DirectoryIndex . This directive tells web server to issue an external redirect to index file when a directory is requested.

DirectoryIndexRedirect On

Use it along with DirectoryIndex

DirectoryIndex file.php
DirectoryIndexRedirect on

Note :DirectoryIndexRedirect On issues a temporary redirect from /directory/ to /directory/file.php with a 302 status code which is the default redirect http status code . To make the redirection permanent you can any of the following formats :

With 301 redirect status :

DirectoryIndexRedirect 301

With permanent status :

DirectoryIndexRedirect Permanent

Prevent directory listing/browsing with htaccess

Solution #3

You can also disable directory browsing by using RewriteRule directive in your htaccess file.

Here is the rule you can use in your htaccess :

RewriteEngine on
RewriteRule ^$ /file.php [L]

This works same as the DirectoryIndex method I explained above. This rewrites /directory/ to /file.php .

The most important thing to note here is the pattern ^$ .
In regular expression the pattern ^$ is used to check an empty string and in RewriteRule we use this to match against the current directory or the directory the htaccess file is located in.

For example if your htaccess is located in root then the pattern ^$ is used to match / and the same pattern is used if your htaccess is located in subfolder and you want to match that folder.

See the examples below .

/.htaccess

DirectoryIndex demo.php
DirectoryIndexRedirect 301
RewriteEngine on

This serves the demo.php file when the root directory “/” is direct accessed.

/subfolder/.htaccess

DirectoryIndex demo.php
DirectoryIndexRedirect 301
RewriteEngine on

If the code above is placed in htaccess in subfolder , then a request for /subfolder/ will show you demo.php file instead of showing directory listing.

Block directory listing/browsing using RedirectMatch

Solution #4

It is also possible to show a 403 forbidden error when someone tries to access your directory.

This method is not SEO friendly so I won’t recommend you to use it but if you really want to block direct access to your directories then you can use this.
To prevent directory browsing and display a 403 error ,you can use one of the following methods in your htaccess :

Block direct access to folders using RedirectMatch : This shows a 403 forbidden error when your directory is requested :

RedirectMatch 403 ^/folder/?$

Just replace folder with the name of the folder you want to show a 403 error. For the root folder you can use ^/$ . This does not affect files and subfolders.

Block direct access to folders using RewriteRule : This shows a 403 forbidden error when your directory direct accessed :

RewriteEngine on
RewriteRule ^folder$ - [R=403,L]

For the root folder or the folder your htaccess is located in you can use this pattern ^$ .

I hope this article was helpful . Thank you much for reading it.

Related : Htaccess tutorial for beginners.