How to not 'expose' directory tree by default

Jan-Philip Gehrcke jgehrcke at
Fri Jan 18 12:21:44 UTC 2013


error 403 means that the location exists and access is not allowed while 
404 means that the location does not exist.

Based on this, with mostly default settings, it is (in theory) possible 
to determine the directory structure below the document root via 
guessing or dictionary attack. This may or may not be considered a 
security risk (what do you think?).

I know that there are ways to make nginx return 404 for specific 
locations, including directories. In am wondering, however, if there is 
a neat approach making nginx return 404 generally for each directory that
- has not explicitly enabled autoindex and
- contains no 'index' file (HttpIndexModule)



More information about the nginx mailing list