4.5 Disabled directory browsing

Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.

Levels: 1, 2, 3

Apache 2

See: Apache wiki: DirectoryListings and documentation for mod_autoindex. Note that the application may have a .htaccess file instructing the webserver to turn on or of ‘Indexes’.


This is typically a webserver feature concern (Apache, IIS, Nginx, etc.) that may be on by default and should be turned off.