Exposure of information through directory listing
The target web server is configured to list the contents of directories that do not contain an index file
index.html. This could lead to accidental exposure of sensitive information, or give an attacker
details on how filenames and directories are structured and stored.
Directory indexing should be disabled.
For Apache based web sites, ensure all
<Directory> definitions have
Options -Indexes configured in the
httpd.conf configuration file.
For NGINX based websites, ensure all
location definitions have the
autoindex off directive set in the
For IIS based websites version 7.0 and above you can use the
<directoryBrowse enabled="false" /> element
For all other server types, please consult your product’s documentation on how to disable directory indexing.