Most web servers allow any user to browse the directories (folders) when no index file is available. This can lead to information leakage and help an attacker when trying to compromise your site.

In order to improve your security, we recommend that you disable this option. The NIST Guide for Securing Web Servers also recommends it.

Disabling on Apache

To disable directory listing on Apache, you just need to add the following line to your .htaccess file:

Options -Indexes

Sucuri Customers

Note that all CloudProxy users are already protected against it.

If you have any questions, please contact our research team at