Directory Listing Checker

Free Directory Listing Checker - Detect Exposed Files & Folders Security Risk

Our free Directory Listing Checker scans your website for directory listing vulnerabilities that expose file structures and sensitive documents to attackers. The tool automatically tests 30+ common directories including uploads, backups, admin, includes, vendor, and WordPress paths, detecting when web servers display folder contents instead of blocking access. Get instant risk assessment (Critical, High, Medium, Safe) showing which directories are exposed, how many files are visible in each directory, sample file names that can be accessed, and specific risk level for each exposed path. Essential for website security audits, preventing information disclosure, protecting sensitive files from unauthorized access, and compliance with security standards (OWASP, PCI-DSS). Includes comprehensive fix guides for Apache (.htaccess and httpd.conf), Nginx (nginx.conf), IIS (web.config), and alternative solutions like adding index files to every directory. Tested directories include /uploads/, /backups/, /admin/, /wp-content/, /vendor/, /includes/, /temp/, /cache/, /logs/, and many more common paths that should never expose their contents.

What is Directory Listing?

Directory listing is a web server feature that displays the contents of a directory when no index file (index.html, index.php, default.aspx) is present in that folder. While sometimes useful during development, directory listing is a serious security vulnerability in production environments that exposes sensitive information to attackers: Web server automatically generates HTML page showing all files and subdirectories in folder, users can browse file structure by clicking through directories like a file manager, attackers see configuration files, backups, source code, and sensitive documents, file download links allow direct access to any listed file, reveals technology stack, frameworks, and application structure helping plan attacks, and exposes information that should never be publicly accessible. How directory listing works: user or bot requests URL for directory like https://example.com/uploads/, web server checks for index file (index.html, index.php, default.aspx, etc.), if no index file found AND directory listing enabled server generates listing page, browser displays table showing filename, modification date, file size, and download links, anyone can click files to download or click subdirectories to explore further. Common scenarios that lead to exposure: developer creates new directory for uploads or temporary files without adding index file, backup script creates directory for database dumps or file archives, content management systems automatically create folders for media uploads, vendor dependencies installed via Composer or npm creating node_modules or vendor directories, old directories from previous website versions left on server, migration or deployment scripts creating temporary directories, automated tools generating log or cache directories. The security implications are severe: attackers discover backup files containing complete site copies with outdated vulnerable code, database dumps accessible for download exposing all user data, configuration files reveal database credentials and API keys, source code files show application logic and potential vulnerabilities, directory structure maps out website architecture aiding targeted attacks, and information disclosure violates security best practices and compliance requirements. Our tool automatically checks 30+ common directories known to frequently have listing enabled, tests each path to see if directory listing is exposed, identifies files that are visible in exposed directories, assesses risk level based on directory type and sensitivity, and provides specific recommendations for disabling directory listing and protecting files.

Directories Checked for Listing Exposure

Our scanner tests common directory paths that frequently have listing enabled, categorized by risk level and purpose.

• Upload Directories (High Risk): /uploads/, /media/, /files/, /documents/, /images/, /img/ checked because these contain user-uploaded files often including sensitive documents, profile pictures with metadata, business documents, financial records, medical files in healthcare sites, legal documents in law firm sites, proprietary documents in corporate sites, PDFs that may contain confidential information, image files with EXIF data revealing GPS locations and camera info, uploads directory often writable allowing attackers to upload malicious files if accessible, example: e-commerce site with /uploads/ exposing customer invoice PDFs
• Backup Directories (Critical Risk): /backup/, /backups/, /old/, /archive/ scanned because backups are treasure trove for attackers, complete site backups contain all source code with any vulnerabilities, database dumps include all user data passwords payment information, configuration file backups have hardcoded credentials and API keys, old site versions may lack current security patches, automated backup tools often create predictable directory names, example: /backup/ directory containing site-backup-2024.zip available for download
• Temporary Directories (High Risk): /temp/, /tmp/, /cache/, /session/ checked as they accumulate sensitive residual data, temporary upload files before processing may contain unvalidated content, session files can include authentication tokens, cache files expose database queries and internal data, temporary logs reveal application behavior and errors, temp directories often world-readable with weak permissions, example: /tmp/ showing session files with user IDs
• WordPress Directories (High/Medium Risk): /wp-content/, /wp-content/uploads/, /wp-content/themes/, /wp-content/plugins/ examined because WordPress powers 40%+ of websites, uploads directory exposes all media library files, themes directory reveals theme code and potential vulnerabilities, plugins directory shows installed plugins and versions allowing targeted exploits, mu-plugins visible showing custom functionality, upgrade directory may contain WordPress update files, example: /wp-content/plugins/ listing all installed plugins for attackers to check for known vulnerabilities
• Include/Library Directories (Critical Risk): /includes/, /inc/, /lib/, /libraries/, /vendor/, /node_modules/ scanned as they contain application source code, includes directory has configuration files and sensitive functions, vendor directory from Composer exposes all PHP dependencies and versions, node_modules from npm shows JavaScript packages with potential vulnerabilities, library code reveals application architecture and logic, version information helps identify outdated vulnerable packages, example: /vendor/ exposing composer.json showing all dependencies
• Admin/Control Directories (Critical Risk): /admin/, /administrator/, /control/, /manage/ checked because administrative interfaces extremely sensitive, admin panels should require authentication not be browsable, directory listing confirms admin panel existence and location, may reveal admin scripts and management tools, shows backend file structure aiding privilege escalation, example: /admin/ listing admin.php, login.php, config.php files
• Static Asset Directories (Low/Medium Risk): /css/, /js/, /fonts/, /assets/, /static/, /public/ scanned though lower risk than others, generally safer to list as they contain public resources, but can reveal technology stack and versions from file names, source maps and debug files may be present exposing original code, minified files can be un-minified to understand application, example: /js/ showing app.js, vendor.js versions indicating frameworks used
• Data/Logs Directories (Critical Risk): /data/, /logs/, /log/ extremely dangerous if accessible, log files contain error messages revealing paths and configuration, access logs show visitor IPs and requests, application logs may include debugging information with credentials, data directories may contain database exports or CSV files, example: /logs/ exposing error.log with stack traces and file paths
• Download Directories (Medium Risk): /downloads/, /files/, /documents/ medium risk depending on content, intended for public downloads so listing may be acceptable, but often contains files meant to be linked not browsed, may include older versions or unreleased files, internal documents accidentally placed here, example: /downloads/ showing internal-training.pdf not meant for public

How to Use the Directory Listing Checker

Scanning your website for directory listing vulnerabilities is fast and reveals potentially serious security issues.

• Enter website URL: Input any website URL in the form field, tool automatically adds https:// if not provided, works with any domain and subdomain, can check your own sites or audit clients, accepts both http:// and https:// URLs
• Click Check Directory Listing: Tool automatically constructs base URL from domain, tests up to 15 common high-risk directories to avoid timeouts, makes HTTP requests to each directory path, checks response for directory listing indicators, processes results showing exposed paths, limits scan to prevent overwhelming your server
• View overall risk assessment: Large visual indicator shows security status, color-coded based on severity (red critical, orange high, yellow medium, green safe), displays total number of exposed directories, shows breakdown by risk category (critical, high, medium), immediate understanding of vulnerability state
• Check exposed directories list: Each exposed directory shown individually, displays full URL that's accessible to anyone, indicates risk level (critical for backups, high for uploads, medium for assets), shows count of files visible in the directory, provides sample file names that attackers can access, click URL to see actual directory listing in your browser
• Review exposed files: Expandable section for each directory showing actual file names, limited to first 20 files to prevent overwhelming display, file names give idea of what data is exposed, helps understand severity of each exposure, allows you to identify most sensitive disclosures
• Read security recommendations: Specific fix guides for Apache Nginx and IIS, step-by-step instructions with copy-paste code examples, explanation of each fix method and when to use it, best practices beyond just technical fixes, regular audit recommendations
• Copy or download report: Copy button puts full report on clipboard for easy sharing, download saves comprehensive analysis as text file, includes all exposed directories with risk levels, contains file samples and fix recommendations, suitable for security audit documentation and team sharing

Why Directory Listing is Dangerous

Enabling directory listing exposes website internals and creates multiple attack vectors for malicious actors.

• Reveals Sensitive Files: Backup files downloaded showing complete site source code, database dumps accessed exposing all user data, configuration files downloaded containing database credentials API keys, old versions of files may have removed security fixes, debug files expose application internals and secrets, example: backup.sql file visible in /backup/ directory downloadable by anyone
• Exposes Site Structure: Complete directory tree visible like file manager, reveals organization of application code and files, shows which technologies and frameworks in use, indicates security measures or lack thereof, helps attackers understand architecture before attacking, maps out admin areas and sensitive sections, example: directory listing showing /admin/, /api/, /private/ structure
• Information Disclosure Vulnerability: File names alone leak sensitive information, version numbers in filenames show if software outdated, temporary files reveal ongoing processes and data, log file names indicate what's being logged, metadata in directory listings provides clues, OWASP classifies this as security weakness, example: seeing debug-production.log indicates debug mode on production
• Facilitates Targeted Attacks: Attackers download all files for offline analysis, source code reviewed for vulnerabilities at leisure, specific file versions checked against CVE databases, backup files compared to production revealing what changed, configuration files analyzed for hardcoded secrets, example: downloading all files from /includes/ to find SQL injection points
• Enables Data Harvesting: User uploads downloaded en masse, customer documents accessed without authorization, invoices and financial records stolen, personal information collected from accessible files, competitive intelligence gathered from business documents, example: /uploads/ directory with thousands of customer invoice PDFs
• Reveals Technology Stack: Specific file extensions show programming languages (php, aspx, jsp), framework files indicate which framework and version, dependency directories expose all libraries used, helps attackers know which exploits to try, reveals potentially vulnerable outdated dependencies, example: /vendor/composer/ showing exact versions of all PHP packages
• Compliance Violations: PCI-DSS requires protecting cardholder data from unauthorized access, HIPAA mandates safeguards for protected health information, GDPR requires appropriate technical security measures, directory listing violates principle of least privilege, information disclosure fails security audits, regulatory fines possible if data accessed, example: directory listing exposing payment logs violates PCI-DSS
• Helps Reconnaissance: First step in many attack chains, provides inventory of all accessible files, shows what to target in next attack phase, reveals admin interfaces to attempt brute-force, indicates security posture and awareness, easier to exploit sites with poor security basics, example: attacker finding /phpmyadmin/ in listing then attempting default passwords

How to Disable Directory Listing

Properly securing directories requires disabling automatic index generation and implementing defense-in-depth measures.

• Apache .htaccess Method: Create .htaccess file in web root directory, add single line Options -Indexes to disable listing, minus sign removes Indexes from allowed options, apply to all subdirectories automatically, test by accessing directory URL to verify 403 Forbidden, example .htaccess: Options -Indexes, alternatively use Options -Indexes +FollowSymLinks to keep symbolic links working, restart not required for .htaccess changes
• Apache httpd.conf Global Configuration: Edit main Apache config file at /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf, find <Directory> directive for your web root like <Directory /var/www/html>, remove Indexes from Options line changing Options Indexes FollowSymLinks to Options -Indexes FollowSymLinks, apply globally to entire server or specific directory trees, must restart Apache after config changes: sudo systemctl restart apache2, more permanent than .htaccess but requires server access
• Nginx Configuration: Edit nginx.conf or site-specific config in /etc/nginx/sites-available/, add autoindex off; directive in server or location block, location / { autoindex off; } disables for entire site, can disable globally or for specific paths, reload Nginx after changes: sudo nginx -s reload, test configuration first: sudo nginx -t, default is off so only needed if explicitly enabled
• IIS Web.config: Add configuration to web.config file in application root, use <system.webServer><directoryBrowse enabled="false" /></system.webServer>, applies to current directory and subdirectories, IIS automatically applies changes no restart needed, can also configure via IIS Manager GUI, check Directory Browsing feature and disable
• Add Index Files to Every Directory: Create blank index.html file in every directory, prevents listing even if server misconfigured, defense-in-depth approach works on any server, automated with find command: find . -type d -exec touch {}/index.html \;, blank HTML page better than blank file to avoid errors, shows blank page instead of file list, easy low-tech solution requiring no server config
• Use Empty index.php Files: For PHP sites use <?php /* Empty */ ?> in index.php, more appropriate than HTML for PHP applications, prevents PHP errors from empty file, can redirect to homepage: header('Location: /'); exit;, protects even if web server allows override of Options, server processes PHP before checking for directory index
• Set Proper File Permissions: Ensure directories not world-readable if they contain sensitive files, chmod 750 or 755 for directories (not 777 which is too permissive), chmod 644 for files (not 666 or 777), restrict web server user access to only necessary files, use chown to set correct ownership, verify with ls -la command
• Remove Unnecessary Directories: Delete old backup directories from web root entirely, move temp and cache directories outside document root, keep vendor and node_modules out of public web directory, archive old site versions to non-web-accessible storage, use .gitignore to prevent deploying development directories, regular cleanup of temporary and test directories
• Configure Default Document List: Apache DirectoryIndex index.html index.php default.html, Nginx index index.html index.htm index.php, IIS defaultDocument, ensures server looks for these files before showing directory, order matters - first found is used, include all used index file names in your application
• Monitor and Audit Regularly: Schedule monthly scans with our tool to catch new directories, monitor server logs for 404 errors on directory paths, check after CMS updates that add new directories, verify after deployment that new directories protected, penetration testing should include directory listing checks, employee training on not creating unprotected directories

Pro Tip

Always disable directory listing globally in your web server configuration (Apache httpd.conf or Nginx nginx.conf) rather than relying on .htaccess files in individual directories because global configuration can't be accidentally overridden or deleted, applies to all new directories automatically without manual intervention, provides defense-in-depth even if developers forget to add index files, and is more performant since server doesn't need to check for .htaccess in every directory. However, also implement the belt-and-suspenders approach by adding blank index.html or index.php files to every directory even with global protection because this provides redundancy if someone changes server config, works even if you migrate to different server without updating config, protects directories if .htaccess accidentally enables listing, and is visible reminder that directory shouldn't expose contents. For maximum security create a deployment checklist requiring that every new directory must have an index file, run automated checks during build process, use git pre-commit hooks to verify all directories have index files, and regularly scan with our tool to catch any missed directories. Pay special attention to directories created by automated processes: backup scripts creating /backup/ or /backups/, upload handlers creating user-specific /uploads/user-123/ subdirectories, cache systems generating /cache/sessions/, logging systems writing to /logs/2024-01/, package managers installing to /vendor/ or /node_modules/, CMS creating /wp-content/uploads/2024/01/, because these often bypass manual directory creation and developers forget to secure them. If you must allow directory listing for legitimate purposes like a download archive, create a dedicated subdomain downloads.example.com separate from main site, implement authentication requiring login before accessing, add watermarks or tracking to files to identify leaks, monitor access logs for suspicious download patterns, use robots.txt to prevent search engine indexing of file list, and consider using S3 pre-signed URLs instead which expire and are individually tracked. For WordPress sites specifically: add index.php to /wp-content/, /wp-content/uploads/, /wp-content/themes/, /wp-content/plugins/, consider using security plugin that automatically adds index files, disable XML-RPC if not needed as it can be abused, and keep WordPress and all plugins updated to latest versions. Remember that even with listing disabled, files can still be accessed if attacker knows or guesses the filename - so directory listing prevention is just one layer, must also implement proper authentication for sensitive directories, don't store sensitive files in web-accessible locations at all if possible, use .htaccess or nginx config to deny access to file types like .sql .bak .env .git, regularly audit what files exist in your web root, and implement Content Security Policy headers to restrict what can be loaded. Test your fixes by attempting to access directories both with and without trailing slash (/uploads and /uploads/) and verify both return 403 Forbidden rather than file listing or redirect to index file that shows listing if improperly configured.

FAQ

Related tools

Pro tip: pair this tool with Security Header Strength Checker and Exposed Admin Path Detector for a faster SEO workflow.

• Security Header Strength Checker — Grade security headers with detailed scoring, letter grades (A+ to F), and actionable recommendations.
• Exposed Admin Path Detector — Detect common admin URLs that may expose login panels or sensitive areas.
• Robots.txt Security Analyzer — Analyze robots.txt to detect exposed admin, login, and sensitive paths.
• Google Malware Checker — Check if site has malware.
• Security Headers Checker — Check if website implements essential security headers like CSP, HSTS, X-Frame-Options.