How to stop Apache from listing the contents of my user directories

Question

I recently ran some penetration testing software on my web site and was surprised for it to report that one of my directory listings was publicly accessible.

Answer 1

You could create a .htaccess file in that directory, or have a <directory>...</directory> block in your Apache configuration that specifies:

Options -Indexes

See the Apache options directive documentation for more details.

Answer 2

There is a command in Apache that will make it show indexes.

Options +Indexes

Remove this, restart. This will make that url show a 403 Forbidden.