2022-04-04 11:22:00 +05:30
---
stage: Secure
group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Exposure of information through directory listing
## Description
2022-05-07 20:08:51 +05:30
The target web server is configured to list the contents of directories that do not contain an index file
such as `index.html` . This could lead to accidental exposure of sensitive information, or give an attacker
2022-04-04 11:22:00 +05:30
details on how filenames and directories are structured and stored.
## Remediation
Directory indexing should be disabled.
Apache:
2022-05-07 20:08:51 +05:30
For Apache based web sites, ensure all `<Directory>` definitions have `Options -Indexes` configured in the
2022-04-04 11:22:00 +05:30
`apache2.conf` or `httpd.conf` configuration file.
NGINX:
2022-05-07 20:08:51 +05:30
For NGINX based websites, ensure all `location` definitions have the `autoindex off` directive set in the
2022-04-04 11:22:00 +05:30
`nginx.conf` file.
IIS:
For IIS based websites version 7.0 and above you can use the `<directoryBrowse enabled="false" />` element
in the `applicationHost.config` or `Web.config` files.
For all other server types, please consult your product's documentation on how to disable directory
indexing.
## Details
| ID | Aggregated | CWE | Type | Risk |
|:---|:--------|:--------|:--------|:--------|
| 548.1 | false | 548 | Passive | Low |
## Links
- [CWE ](https://cwe.mitre.org/data/definitions/598.html )
- [Apache Options ](https://httpd.apache.org/docs/2.4/mod/core.html#options )
- [NGINX autoindex ](https://nginx.org/en/docs/http/ngx_http_autoindex_module.html )
- [IIS directoryBrowse element ](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse )
