Picto thématique

Rule n° 204 - The server does not send the file listing of directories with no index page.

When a website directory does not have a front page (the website image directory, for example), it may be possible to display its contents. For example, if this rule is not followed, a Url such as domain.com/ doc/ may allow access to the complete list of documents on the website, even if they are not online.

#Security #Development

Goal

  • Prevent the display of lists of files contained in a directory.
  • improve the server’s security.
  • Reduce the risk of intrusion.

Implementation

Configure the server so that it does not return the listing of files found in a directory. For Apache, add for example options –indexes in the .htaccess.

Control

For each audited site:

  • Check that the call to a directory without a default page - such as the directory of images, JS scripts or style sheets - does not return the listing of the contents of this folder (this action can however lead to an error page or to a redirect).

By Opquast - Read the license


Discover Opquast training and certification

The objective of these rules and the Opquast community mission is ‘making the web better’ for your customers and for everyone! Opquast rules cover the key major areas of risk that can negatively affect website users such as privacy, ecodesign, accessibility and security.

Opquast training has already allowed over 14,500 web professionals to have their skills certified. Train your teams or your students, contact us