Directories are visible to public


#1

I have a directory that contains a Java program. I noticed that anyone can drill down to that directory from a browser and the contents are displayed and downloadable.

How can I prevent users from doing this?


#2

To disable directory listings for a folder, place the following text into an .htaccess file in that directory:

Options -Indexes

#3

Another effective way is to put an index.html into all directories. This page will now be served when someone tries to view: your-site.com/directory. Using this method also allows you to be creative, since you can put any message you like in the code of this index.page. For example:

<html>
<head>
<body>
<h1>Permission to access this directory is denied.</h1>
<br><br>
Your IP Address: <!--#echo var="REMOTE_ADDR" --> has been logged.
</body>
</html>

Anyone attempting to view the files directly from this directory will see instead:

[size=2]Permission to access this directory is denied.[/size]

Your IP Address: 125.214.64.4 has been logged.

(the user’s actual IP address will display, hopefully stopping him/her from trying this again.)


#4

You can also use a php redirect to bump them back up into the parent directory:

<?php
/* Redirect browser */
header("Location: ../");
/* Make sure that code below does not get executed when we redirect. */
exit;
?>

Save that as index.php in the folder in question.

This may also keep out most robots, but you should still make a point of excluding those directories via robots.txt

I admit, though, that I like the “your IP address has been logged” idea. (Fwiw, the safe in the office where I work has a sign over it saying, “Danger, High Voltage”. I like these approaches.)


#5


Redirects are dangerous when it comes to Googlebot and Bingbot. It basically says that this directory has moved… giving them a soft 302. Probably not something you want.


#6

[quote]Permission to access this directory is denied.
Your IP Address has been logged.[/quote]

That is not very helpful. The implication that the visitor is trying to do something they should not be doing is often wrong.

When, because of uncontrollable internet glitches, things become garbled, looking back along the directory path is a reasonable way for the visitor to attempt to rectify the situation and get back on track.

If the website designer does not want to make the directory structure visible, the simplest and best thing to do is to insert index files which offer ways for an errant browser to get back on track. For example, by giving links to (or redirecting to) a sitemap or an “about this website” page.


#7

Do this in a custom 404, but not for a hacker attempting to gain access to your image file directory.