What is apache autoindex and should I disable it?

security pci-compliance mod-autoindex
symlink picture symlink · Feb 26, 2015 · Viewed 17.9k times · Source

I have a 3rd party client who did a PCI scan on their site. The report returned this:

web server autoindex enabled

What is this and is it safe to disable it? Does anyone know the safest way to disable it, and how I can check it has been disabled?

Answer

Kevin Seifert picture Kevin Seifert · Feb 26, 2015

autoindex generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command. From:

http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html

You'd comment out the line in your conf/http.conf that references mod_autoindex, and restart/reload the service.

The only reason you'd want this is if you want people browsing your web directories (eg, stripping off a resource, and navigating to the parent dir).

Related questions

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
SecurityError: Blocked a frame with origin from accessing a cross-origin frame

I am loading an <iframe> in my HTML page and trying to access the elements within it using Javascript, but when I try to execute my code, I get the following error: SecurityError: Blocked a frame with origin "…

Read More
How to create .pfx file from certificate and private key?

I need .pfx file to install https on website on IIS. I have two separate files: certificate (.cer or pem) and private key (.crt) but IIS accepts only .pfx files. I obviously installed certificate and it is available in certificate …

Read More