Is directory browsing a vulnerability?

Yes — it is information disclosure. Attackers use leaked filenames to find backups, configs, source code and credentials. Closing it is a basic hardening step.

How do I disable autoindex in Apache?

Remove "Indexes" from the Options directive in your virtual host config. Or add `Options -Indexes` to the relevant directory block. Restart Apache.

How do I disable autoindex in Nginx?

Remove the autoindex directive (or set autoindex off;) in the relevant server / location block. Restart Nginx.

Does an index.html prevent directory listing?

Yes. If a directory contains an index file, the server serves that instead of the autoindex page. Add an empty index.html as defence in depth, but disable autoindex too.

Does this affect SEO?

Not directly, but exposed directories sometimes get crawled and indexed by Google, leaking filenames into search results. Closing them protects both security and search-result hygiene.

Directory Browsing Test

The Directory Browsing Test probes common server directories on any URL to see whether the server returns an autoindex listing (the classic "Index of /" page) instead of a 403 / 404. Open directory listings leak filenames — config backups, sensitive uploads, abandoned files — that attackers download and analyse for credentials, source code or further vulnerabilities. The fix is one server config line; the cost of leaving it open can be a full data exposure.

What This Tool Checks

Autoindex listing on common directories (/uploads, /backup, /admin, /.git)
Server responds with 403 / 404 instead of file listing
Sensitive filename patterns visible in any leaked listing
Default Apache / Nginx autoindex configuration
CMS-specific directory exposure (wp-content/uploads, etc.)

Why It Matters for SEO

Open directory listings are pure information disclosure. Attackers scan for /backup/, /old/, /.git/, /uploads/ and download every file. Database dumps, .env files, source code and customer uploads regularly leak through this single misconfiguration. Closing it is one server config line; leaving it open can cost the business its data.

How to Fix It

Disable directory listing globally. In Apache, remove "Indexes" from Options. In Nginx, remove or set autoindex off. Add an empty index.html to every directory as a belt-and-braces measure. Move sensitive directories outside the web root entirely. Re-test until every probed directory returns 403 or 404.

How It Works

We probe a maintained list of common directory paths on the URL's domain and check the response for HTML matching server autoindex output (Apache mod_autoindex, Nginx autoindex). Each open directory is reported with the filenames it leaks.

Common Mistakes to Avoid

Default Apache install with autoindex enabled
Default Nginx install with autoindex enabled
/.git/ directory left exposed (full source-code disclosure)
Backup directories named obviously (/backup/, /old/, /save/)
Treating directory listings as harmless because "the files are not linked anywhere"

Quick Checklist

No directory autoindex anywhere on the domain
/.git/ and /.env/ paths return 403 / 404
Backup directories not named obviously
Sensitive files moved outside the web root
Re-tested after server upgrades

Directory Browsing Test

What This Tool Checks

Why It Matters for SEO

How to Fix It

How It Works

Common Mistakes to Avoid

Quick Checklist

Frequently Asked Questions

Related Free Tools

About PositionMySite

Services

Let's Connect