Home / Tools / Disable directory listing so visitors cannot browse your file system
Exposed Files · Scan Check Guide

Disable directory listing so visitors cannot browse your file system

15 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

Directory listing shows the full contents of a folder when there's no index file present — instead of a 404 or your homepage, visitors (and attackers) see a raw file browser of everything in that directory, including files you never intended to be individually discoverable.

Directory listing lets anyone browse your file system like a file manager — seeing every file name, backup, and configuration file in your directories.

How to fix it

  1. 1
    Check if directory listing is currently enabled
    Visit a folder URL without a specific file, like yoursite.com/uploads/ — if you see a file list instead of a 404 or redirect, it's on.
  2. 2
    Disable it at the server level
    Apache: Options -Indexes in your config or .htaccess. Nginx: autoindex off; (this is actually the default in nginx, so check your specific config didn't turn it on).
  3. 3
    Add index files as a backup
    A blank index.html in sensitive folders also prevents listing from showing, even if the setting somehow gets re-enabled.

Common mistakes

How you'll know it's done

Visiting a folder URL directly returns a 403/404 or your site's normal content, never a raw file listing.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →