← Back to glossary

Directory Listing Enabled

security CWE-548 OWASP A5:2021 CVSS 5.3 PHP 5.0+ Beginner

debt(d3/e1/b3/t5)

d3 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'default linter catches the common case' (d3). The term's detection_hints.tools lists owasp-zap, nikto, and lighthouse — these are standard security scanners that will flag directory listing as part of routine scans. While not compile-time, these tools are commonly used in CI/CD pipelines and catch this misconfiguration automatically.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1). The quick_fix explicitly states adding 'Options -Indexes' in .htaccess or 'autoindex off' in nginx config — both are single-line configuration changes that immediately resolve the issue.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). This is a server configuration issue that applies only to web contexts per applies_to. Once fixed at the server level, it doesn't impose ongoing maintenance burden. The fix is localized to configuration files and doesn't affect application code or architecture.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception field explicitly states developers believe 'directory listing is harmless if there are no sensitive files present' — this is a documented gotcha. The trap is that it reveals application structure, version numbers, backup files, and admin paths that aid attackers, even when no obviously sensitive files exist. Most developers eventually learn this, but it contradicts the intuition that 'hidden' means 'secure'.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-07 · reviewed by human

Also Known As

directory browsing autoindex open directory

TL;DR

A web server configured to show directory contents exposes file structure and sensitive files to unauthenticated visitors.

Explanation

When a web server has directory listing enabled and no index file exists in a directory, it returns an HTML listing of all files — including backup files, configuration files, log files, and source code. Attackers use this to map the application's structure and download sensitive assets. Disable directory listing in your web server configuration (Options -Indexes in Apache, autoindex off in Nginx), and ensure all sensitive directories have an index file or are outside the web root.

Common Misconception

✗ Directory listing is harmless if there are no sensitive files present. It reveals application structure, version numbers in filenames, backup files, and admin paths that attackers would otherwise have to guess.

Why It Matters

An enabled directory listing exposes every file in a directory to unauthenticated users — source code, backups, configuration files, and uploaded user content become freely browsable.

Common Mistakes

Not adding Options -Indexes to .htaccess or equivalent server configuration.
Relying on files being 'unlinkable' rather than enforcing access controls at the server level.
Uploading backup files (.sql, .zip, .bak) to web-accessible directories.
Testing directory listing protection in development but not verifying it is applied in production.

Code Examples

✗ Vulnerable

# Apache config with directory listing enabled:
<Directory /var/www/html/uploads>
    Options Indexes FollowSymLinks  # WRONG — remove 'Indexes'
    AllowOverride None
</Directory>

✓ Fixed

# nginx — disable directory listing
server {
    autoindex off; # explicitly set — default is off, but be explicit
}

# Apache
Options -Indexes

# Never store sensitive files inside webroot:
# .env, composer.json, .git → keep one directory above public/

# PHP catch-all for requests that reach index.php:
if (is_dir(realpath(__DIR__ . \$_SERVER['REQUEST_URI']))) {
    http_response_code(404); exit;
}

# Verify:
$ curl -I https://yourapp.com/storage/
# Should return 403 or 404, never a file listing

References

↗ https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information

Tags

information-disclosure misconfiguration server

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,448 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 10 Perplexity 8 Google 3 Unknown AI 2 Ahrefs 2 Majestic 1

Also referenced

Information Disclosure 56 Security Misconfiguration 35

How they use it

crawler 24 crawler_json 2

Related categories

security 4.6k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Low

⚡ Quick Fix

Add 'Options -Indexes' in .htaccess (Apache) or 'autoindex off' in nginx config; ensure every directory has an index file

📦 Applies To

PHP 5.0+ web

🔗 Prerequisites

Security Misconfiguration php.ini Security Settings open_basedir Restriction

🔍 Detection Hints

Missing Options -Indexes in .htaccess or autoindex on in nginx; directory browsable in browser

Auto-detectable: ✓ Yes owasp-zap nikto lighthouse

⚠ Related Problems

Information Disclosure data breach Attack Surface

🤖 AI Agent

Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line

CWE-548