How to not 'expose' directory tree by default
jgehrcke at googlemail.com
Fri Jan 18 12:21:44 UTC 2013
error 403 means that the location exists and access is not allowed while
404 means that the location does not exist.
Based on this, with mostly default settings, it is (in theory) possible
to determine the directory structure below the document root via
guessing or dictionary attack. This may or may not be considered a
security risk (what do you think?).
I know that there are ways to make nginx return 404 for specific
locations, including directories. In am wondering, however, if there is
a neat approach making nginx return 404 generally for each directory that
- has not explicitly enabled autoindex and
- contains no 'index' file (HttpIndexModule)
More information about the nginx