job.answiz.com
  • 4
Votes
name
name Punditsdkoslkdosdkoskdo

Disable directory listing with 404 instead of 403

I've disabled directory listings like so...

Options -Indexes

When I try and access a directory like this:-

www.example.com/secret/

I get a 403 Forbidden response.

However, I want a 404 Not Found response, so hackers can't guess my directory structure so easily. How would I do that?

My solution to stop displaying directory's content as list and display 404 error is simple. Create .htaccess file in root directory of your project and write which directories should be protected.

Directories structure

- your_root_directory
  - .htaccess
  - 404.html
  - index.html 
  - app
    - other files I do not want to show
  - models
    - other files I do not want to show

.htaccess

RewriteEngine On
RewriteRule   ^app/ - [R=404,L]
RewriteRule   ^models/ - [R=404,L]

ErrorDocument 404 /your_root_directory/404.html

The second line of .htaccess disallow access to list items in app directory and all its subridectories.

The third line of .htaccess disallow access to list items in models directory and all its subridectories.

The fourth of .htaccess line sets our own 404 error (if you do not want to show apache default error).

Remember to clear cache on your browser when you work with htaccess.

  • 2
Reply Report

Create a custom 403 script that returns an 404 error instead.

For example, in PHP:

<?php
header("HTTP/1.0 404 Not Found");
die("<h1>404 Not Found</h1>");
?>

Now configure Apache to use this script for 403 results:

ErrorDocument 403 /403.php

No messing with rewrites and it instantly works for the whole server.

  • 2
Reply Report