Directory listing¶
Description¶
A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.
Remediation¶
- Configure your web server to prevent directory listings for all paths beneath the web root.
- Place into each directory a default file (such as index.htm) that the web server will display instead of returning a directory listing.
REST Specific¶
Asp_net
To prevent directory listing in ASP.NET, configure the web server to disable directory browsing. In IIS, this can be done by opening the IIS Manager, navigating to the 'Directory Browsing' feature, and setting it to 'Disabled'. Additionally, ensure that default documents are properly configured so that a default web page is served instead of a directory listing. In the web.config file, set the 'system.webServer/directoryBrowse' element's 'enabled' attribute to 'false' to block directory listing at the application level.Ruby_on_rails
In Ruby on Rails, disable directory listings by ensuring the `config.serve_static_files` option is set to `false` in your application's configuration file. Additionally, configure your web server (e.g., Apache or Nginx) to deny directory browsing. For Apache, use 'Options -Indexes' in your .htaccess file or Apache configuration. For Nginx, ensure 'autoindex off;' is included in the server block configuration.Next_js
In Next.js, disable directory listing by ensuring that the 'server' configuration does not serve static files from a public directory without explicit routes. Use a custom server or middleware to control access to files, and set proper file permissions to prevent unauthorized directory traversal and exposure of sensitive files.Laravel
In Laravel, disable directory listing by ensuring the 'Options -Indexes' directive is included in your .htaccess file, or configure your web server settings appropriately. Additionally, set the 'public' directory as the web root and avoid placing sensitive files within it. Use middleware to restrict access to authorized users and apply proper access controls to your routes.Express_js
In Express.js, disable directory listing by not using express.static() middleware for serving static files, or configure it to disable directory indexing. Additionally, ensure that web server configurations like Apache's .htaccess or Nginx's server block do not have directory listing enabled. Use middleware like helmet to set security-related HTTP headers and prevent common vulnerabilities.Django
In Django, ensure that the 'DEBUG' setting is set to False in your production settings file to prevent the display of a directory listing. Additionally, configure your web server to disallow directory indexing. For Apache, this can be done by removing 'Indexes' from the 'Options' directive in the .htaccess file or the main configuration file. For Nginx, ensure that 'autoindex' is set to 'off;' in the server block configuration.Symfony
In Symfony, disable directory listing by configuring your web server appropriately. For Apache, use '.htaccess' or the config file to set 'Options -Indexes'. For Nginx, ensure 'autoindex' is set to 'off'. Additionally, review your 'public/' directory to ensure it only contains index.php and assets.Spring_boot
In Spring Boot, disable directory listing by configuring your application.properties or application.yml to not allow static content listing, and ensure that your controllers do not expose directory paths. Use Spring Security to restrict access and define proper permissions for different resources.Flask
In Flask, ensure that the 'AUTOINDEX' option is set to False in your application configuration or web server settings to prevent automatic directory listings. Additionally, configure your web server to deny directory browsing requests and serve a custom 403 Forbidden error page instead.Nuxt
In Nuxt.js, to prevent directory listing, ensure that the static file serving configuration does not allow directory indexing. Set 'serveStatic' options to disable directory listing in your server configuration or use a middleware to restrict access to sensitive directories. Additionally, review and configure your web server settings (like Nginx or Apache) to disable directory browsing.Fastapi
In FastAPI, to prevent directory listing, ensure that static file serving is configured correctly. Use the 'StaticFiles' class from 'fastapi.staticfiles' to serve static files and explicitly define which directories should be accessible. Avoid serving the entire root directory. Additionally, set 'use_directory_listing' to 'False' to disable directory listing for the specified static directories.Frappe
Disable directory listing in the Frappe framework by configuring the web server to deny directory indexing, ensuring sensitive files are not exposed to unauthorized users.Genzio
Disable directory listing in the Genzio framework engine by configuring the server settings to prevent unauthorized access to directory contents.Gin
Disable directory listing in the Gin framework by ensuring that the web server configuration does not allow directory browsing. This can be achieved by setting appropriate permissions and using middleware to handle requests securely.Gorilla
Disable directory listing in the Gorilla framework by configuring the web server to deny directory indexing or by adding a default index file to directories.Hapi
Disable directory listing in the Hapi framework by setting the 'listing' option to false in the route configuration for static file serving.Hono
Disable directory listing in the Hono framework engine by configuring the server settings to prevent unauthorized access to directory contents.Jersey
Disable directory listing in the Jersey framework by configuring the web server to prevent the display of directory contents. This can be achieved by setting appropriate server configurations or using a web.xml file to restrict access to directory listings.Koa
Disable directory listing in the Koa framework by ensuring that the static file serving middleware is configured to prevent directory browsing. This can be achieved by setting the 'index' option to false or using a custom middleware to handle requests more securely.Ktor
Disable directory listing in the Ktor framework by configuring the server to not serve directory indexes. Ensure that the 'autoHeadResponse' and 'directory' features are not enabled, and explicitly define routes to serve only the necessary files.Leptos
Disable directory listing in the Leptos framework by configuring the web server to deny directory index requests, ensuring sensitive files are not exposed.Macaron
Disable directory listing in the Macaron framework by configuring the web server to deny directory index requests or by setting appropriate permissions to restrict access to directory contents.Phoenix
Disable directory listing in the Phoenix framework by configuring your web server to deny directory indexing and ensure that sensitive files are not publicly accessible.Redwoodjs
Disable directory listing in RedwoodJS by configuring your web server to prevent the automatic listing of directory contents. This can typically be done by setting the appropriate options in your server configuration file, such as using 'Options -Indexes' in Apache or 'autoindex off;' in Nginx.Rocket
Disable directory listing in the Rocket framework by configuring the web server to deny directory index requests, ensuring sensitive files are not exposed.Sveltekit
Disable directory listing in the SvelteKit framework by configuring the server to deny directory index requests, ensuring sensitive files are not exposed.Configuration¶
Identifier:
configuration/directory_listing
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API1:2023
- OWASP LLM: LLM06:2023
- pci: 2.2.5
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.18.1
- nist: SP800-53
- fedramp: AC-4
Classification¶
- CWE: 548
Score¶
- CVSS_VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CVSS_SCORE: 5.3