The guide explains why turning off directory browsing on web servers is essential for security and then walks the reader through simple steps for both Apache and Nginx. For Apache you can edit the main configuration or drop an .htaccess file containing “Options -Indexes” to remove the Indexes flag that otherwise generates a listing of every file in a folder without an index page. On Nginx the solution is even shorter: add “autoindex off;” inside the server block and then test and reload the service to apply the change. A quick checklist table summarizes the flags for each server, and the article ends with reassurance that disabling directory browsing is a trivial but powerful security measure.

How to Turn Off Directory Browsing in Apache & Nginx

If you’re running a web server that’s giving away more than it should—like showing every file in a folder when no index.html is present—you need to turn off directory browsing. It’s a quick tweak but a big win for security.

Why You Should Disable Directory Browsing

I’ve seen folks run into this after adding a new plugin or just copying files over without an index page. Anyone can hit http://example.com/folder/ and see the entire contents. That leaks sensitive file names, reveals hidden directories, and gives attackers a map to exploit.

Turning Off Directory Browsing in Apache

1. Edit the main config file (or create an override).

Open /etc/apache2/apache2.conf on Debian‑based systems or /etc/httpd/conf/httpd.conf on RHEL‑based ones. Look for a <Directory /var/www/> block; if you can’t find one, add it.

<Directory "/var/www/">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Indexes is the flag that tells Apache to generate a directory listing. Removing it stops that auto‑generation.

2. Disable via .htaccess (if you can’t touch the main file).

Place an .htaccess in the root of your site with:

Options -Indexes

-Indexes flips the flag off for that directory and any subfolders unless overridden again.

3. Reload Apache to apply changes.

sudo systemctl reload apache2   # Debian/Ubuntu
# or
sudo systemctl reload httpd     # CentOS/RHEL

If you’re on a shared host, just drop the .htaccess file; most hosts already run with Indexes turned off by default.

Turning Off Directory Browsing in Nginx

1. Locate your server block config.

Typical files live in /etc/nginx/sites-available/. Open the appropriate file for your domain.

server {
    listen 80;
    server_name example.com;

    root /var/www/html;

2. Add or modify the autoindex directive.

    autoindex off;

autoindex on; is Nginx’s counterpart to Apache’s Indexes. Setting it to off suppresses directory listings.

3. Test and reload Nginx.

sudo nginx -t   # sanity check
sudo systemctl reload nginx

Quick Checklist

Server	Flag	Default	What to set
Apache	Indexes	on (unless omitted)	Remove or use -Indexes
Nginx	autoindex	off	Explicitly set off

Final Thoughts

Disabling directory browsing is one of those “if you’re not sure, turn it off” actions. It’s trivial to implement and hard to mistake for a security hole. After the change, hit any folder URL that previously listed files—nothing should appear.