Prevent sub-directory listing in PHP using Apache2 server

If you have a website built using PHP and hosted on an Apache2 server, you should perform one quick security check to know if your subdirectories are getting listed or not.

For e.g. if you have a website url such as

www.website.com/folder1/folder2/file.html

Then you can try accessing the sub URL such as

www.website.com/folder1/

If your website is displaying the list of files present inside the browser, then it’s an issue.

Though the user cannot access your codes in PHP as those are server side rendered, however, exposing sub-directory listing of your website may sometimes encourage security vulnerability. Hence, it becomes important to prevent such kind of sub-directory listing of your website.

This can be done by following these steps:

• Go to the base folder of your PHP website.
• Create a file titled “.htaccess”
• Add the below line of code “Options –Indexes” in the file.
• Save and push the changes to the server.
• Now to your apache settings. In Linux it can be found at the location “/etc/apache2”.
• Go to your configuration file, add the below code snippet inside the path where your website is listed.
  <Directory /var/www/html> AllowOverride All </Directory>
• Now, you can restart the Apache2 server for the configuration to take into effect. You can use the command “sudo service apache2 restart”.
• Now you can go back to the browser and try to access the sub-directory listing. You should get a 403 access denied page.

Let me know if it was helpful, do spread the word by sharing this article…

Follow Me on Social Media

Follow @speaktechnology