Prevent directory browsing

Preventing your visitors from accessing directories / folders

Last updated on May 8, 2010. Tags: directory structure, htaccess

Websites, especially the really big ones (big in terms of number of files, html, images, etc) are usually structured into folders. Some sites are structured such that html pages and other files that cover the same topic are in one folder. Another way of arranging them are by file types, with images in one folder, sound clips in another, and html files in the root directory.

By just looking at the URL, visitors can easily access your website's folders or directories. For example, if a visitor viewed your image file alone (all major browsers offer this feature, and your images can be accessed without accessing your site using Google image search), they can see the URL of the image as something like http://www.domain.com/images/imagefile.jpg in the browser's address bar. It will be then easy to deduce that there are other images in /images/ folder and go to that location by simply removing imagefile.jpg in the URL.

Then, your visitor will be able to access the other files in that folder in a page similar to the one below:

folder as seen through a browser window

In some cases, you would not want your visitors to access these folders. It could be that some parts of your site are supposed to be password protected, or you simply do not want images or any other embedded objects being seen without any web page.

There are two ways to prevent your visitors from accessing your directories.

1. Use index.htm file in all folders

Yep! This is what its name implies. You put a webpage file named index.htm in all folders in your website, or at least in those folders that you do not want to be accessed as folders. It's up to you to decide if you want to use these files as actual webpages or just blanks with no purpose other than blocking access to your directory.

This is the same mechanics that you use when you create index.htm as your homepage. You can access it by typing www.domain.com and there's no need for complete www.domain.com/index.htm. Your entire website is actually one big directory (usually referred to as the root directory). If you don't have index.htm in your root directory, you'll see a folder file list like the one in the illustration above. Index.htm is not necessary if you're using CMS such as WordPress or using some other back end tweak but those are entirely different topics.

However, if your site is really big with more than five folders, including all subfolders of any depth, putting index.htm file in all of them is not a practical solution, which then leads us to solution no. 2.

2. Use the .htaccess file

To prevent access in all folders in your website, open the .htaccess file in your root directory and insert the following codes.

Options All -Indexes

If there are other codes in your .htaccess, the safest place to insert this code is at the very start, or at the very end of the .htaccess file to ensure that they don't interfere with the functions of these other codes.

If you didn't find .htaccess, you can simply create it. Note that some hosting file manager make this file hidden by default and you might need to configure something to make it visible. There are also some hosting companies that do not permit you to edit the .htaccess. Also, not all web servers use .htaccess files; those that do are usually Apache Servers.

If you use the code above in the .htaccess in the directory. The root directory and all folders and subfolders under it will not be accessible. To make only certain folders inaccessible, create another .htaccess in those folders and insert the code. When you make a folder inaccessible, all subfolders under it will also be inaccessible. This is the message that will appear when a folder is inaccessible.

403 error message in attempting to access a folder

If you have this code in the .htaccess and also an index.htm in the folder, that index.htm will still be accessible like any other webpage. The Forbidden message above will not show up (but it will still show up in the subfolders).

Supposed you want all but one or few folders to be inaccessible. What you can do is to insert the code in the .htaccess in the root directory. Then, create .htaccess files in those folders that you want to be accessible and insert the following code:

Options All +Indexes

Final notes:

The technique discussed here prevents only access to folders as a list of files. It does not prevent access to individual files. If the visitor knows the exact URL or the file is embedded or linked in one of your webpages, it can still be accessed.
This technique also do not stop other websites from showing your images directly from your site and embedded to their's. This practice, called hotlinking, frowned by several webmasters as "stealing bandwidth", is a different topic but the technique also use the .htaccess. I will cover it in one of my future articles.

Posted by Greten on October 27, 2009 under Server Configuration

Share and Enjoy: