Back to Linter
Warningsecurity

Directory Listing Enabled

Why directory listing (autoindex) is a security risk in Nginx.

What This Rule Checks

This rule checks if `autoindex` is enabled on any location block.

Why It Matters

Directory listing exposes your file structure to anyone who visits a URL without an index file. Attackers can discover backup files, configuration files, and other sensitive content that shouldn't be publicly accessible.

Bad — Triggers this rule

location /files {
    root /var/www;
    autoindex on;
}

Good — Passes this rule

location /files {
    root /var/www;
    autoindex off;
    try_files $uri $uri/ =404;
}

How to Fix

Disable autoindex on your locations in Configen, or set `autoindex off;` in your Nginx config. If you need a file browser, consider a dedicated application with access controls.

Related Rules

security-server-tokenssecurity-headers-missing

Check your config now

Paste your nginx.conf and get instant feedback on 20+ rules.

Open Linter →