How to stop Apache from listing the contents of my user directories

Question

I recently ran some penetration testing software on my web site and was surprised for it to report that one of my directory listings was publicly accessible.

It is the directory of the root user which is available.

http://www.example.com/~root/

Results in this page content:

Index of /~root

    * Parent Directory
    * cgi-bin/

Platform: I am creating PHP websites, with Symfony on Linux with Apache.

Is this something that I can configure through Apache?

Answer 1

You could create a .htaccess file in that directory, or have a <directory>...</directory> block in your Apache configuration that specifies:

Options -Indexes

See the Apache options directive documentation for more details.

Answer 2

There is a command in Apache that will make it show indexes.

Options +Indexes

Remove this, restart. This will make that url show a 403 Forbidden.