Exposure · Check
Directory listing enabled — disabling autoindex on your web server
When a web server returns an automatic index of files for a directory URL, attackers (and search bots) can enumerate backups, config copies, log files, and forgotten test pages without guessing paths. Most modern stacks ship with autoindex off by default — but legacy nginx, Apache, and S3-style static hosts often slip through with it on.
Why it matters
Disabling it is one config line (`autoindex off;` in nginx, `Options -Indexes` in Apache). Pair it with returning a 404 (not 403) so attackers can't even confirm the directory exists.
Real-world risk
Attackers map backup files, config copies, and sensitive paths faster when indexes are exposed.
Fix steps (in order)
- Disable autoindex (nginx: autoindex off;) and return 403/404 for directory URLs.
- Verify no storage buckets or app servers serve raw directory listings.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (directory_listing_hint) clears once the externally-observable signal is in place.