How to Enable or Disable Directory Listing in Apache?

Managing directory listing in Apache is a fundamental security configuration that determines whether visitors can see the contents of a folder when no index file (like index.html or index.php) is present. Leaving directory browsing enabled can expose sensitive files to the public, while disabling it protects your server’s directory structure. This guide provides a straightforward walkthrough on how to control this setting using either the main Apache configuration file or a local .htaccess file, ensuring your web server remains secure and functions exactly as intended.

Understanding the Options Directive

Apache controls directory indexing using the Options directive, specifically through the Indexes token.

• When Indexes is active, Apache automatically generates a formatted list of the directory’s contents if an index file is missing.
• When Indexes is deactivated, Apache returns a 403 Forbidden error instead of showing the files.

Method 1: Editing the Global Apache Configuration

Modifying the main configuration file is the recommended approach if you have root access to the server, as it applies changes globally or across specific virtual hosts efficiently.

1. Open the configuration file: Depending on your operating system, open the primary Apache configuration file using a text editor like nano.

• Ubuntu/Debian: /etc/apache2/apache2.conf or /etc/apache2/sites-available/000-default.conf
• CentOS/RHEL/Fedora: /etc/httpd/conf/httpd.conf

2. Locate the Directory block: Find the <Directory> block that corresponds to your website’s root path (usually /var/www/html or /var/www/).
3. Modify the Indexes token:

• To disable directory listing: Place a minus sign (-) directly before Indexes.

<Directory /var/www/html>
    Options -Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

• To enable directory listing: Place a plus sign (+) before Indexes, or simply include the word Indexes without a prefix.

<Directory /var/www/html>
    Options +Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

4. Restart Apache: Save the file and restart the Apache service to apply the changes.

• Ubuntu/Debian: sudo systemctl restart apache2
• CentOS/RHEL: sudo systemctl restart httpd

Method 2: Using an .htaccess File

If you are on a shared hosting environment or do not have root server access, you can manage directory listings using an .htaccess file located in your website’s root directory.

1. Create or open the file: Look for an existing .htaccess file in your website’s main folder (e.g., public_html). If it does not exist, create a new plain text file and name it exactly .htaccess.
2. Add the configuration line:

• To disable directory listing: Add the following line to the file:

Options -Indexes

• To enable directory listing: Add the following line to the file:

Options +Indexes

3. Save and test: Save the file. Changes made via .htaccess take effect instantly without needing to restart the Apache web server, provided that the AllowOverride directive is enabled in the main server configuration.