how do I prevent a bare directory display of files 1

[sharkatek]

I want to use the "403 Access Forbidden" type response to keep someone from trying to see a bare directory list of files. Can anybody help me? I use Front Page and have no experience with css. Thank-you in advance!

 

[TheInsider]

Hmmm... CSS must have gotten more powerful since I last used it, but I don't think it can do what you're asking. CSS is simply for formatting pages. I think you want to change the response type returned to the user. Look into turning off directory browsing in IIS or Apache. Otherwise, you can change the response header in ASP or PHP, etc.

 

[sharkatek]

Thank-you, but how do I turn off directory browsing? And how do I change a response header? Do I create a regular .htm file with the "forbidden" message?

 

[BillyRayPreachersSon]

Read TheInsider's post again. All you need to know is there. If you don't understand specific details, then you could try using Google to search for yourself.

To come back and basically re-ask your original question without seeming like you've bothered to do so shows you haven't really tried to help yourself.

Dan



Coedit Limited - Delivering standards compliant, accessible web solutions

[tt]Dan's Page [blue]@[/blue] Code Couch

http://www.codecouch.com/dan/

[/tt]

 

[TheInsider]

I've done it before, but it's one of those things you don't do on a regular basis, so I can't remember off the top of my head. Don't worry about changing the response type... that would only work if you had a default page in the directory, and you were using dynamic pages like ASP.

You just need to configure your web server to prevent directory browsing. It's simple to do. Ask the question in the IIS or Apache forum and they'll be able to tell you. Or you can Google "turn off directory browsing in X" (where X is the server you're using)

 

[sharkatek]

Thank-you for your KINDNESS and patience, Insider. If I knew as much as you and some other people in this forum, I guess I would not have to ask any questions. I'll keep searching to try to get this to work for me. Maybe the control panel provided by the host company will give me the option to turn off directory browsing. At least now I know what key words to look for. Thanks again.

 

[TheInsider]

No problem. It is odd that your host has this feature turned on by default, since it's rarely useful. However, you should be aware that turning off that feature doesn't stop people from accessing the content in that directory. For that, you would need to set up security permissions or move sensitive content out of the shared folder.

 

[sharkatek]

I went to my host control panel and found the place to create a 403.shtml -- I just cannot figure out how to activate it. I'm still able to see all files in a randomly selected folder. I've put the 403.shtml in an /errors/ folder. I HAVE been searching and reading online, but it seems there is some key piece of instruction missing.

Below is the code in my 403.shtml file that I copied from one that seemed pretty generic:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Access Forbidden</TITLE>
<style type="text/css">
<!--
h1 {
font-family:Verdana, Arial, Helvetica, sans-serif;
font-size: 24px;
color:#333333;
line-height:19px;
font-weight: 200;
text-transform: uppercase;
}

p {
font-family:Verdana, Arial, Helvetica, sans-serif;
font-size: 11px;
color:#333333;
line-height:19px;
}

-->
</style>
</HEAD>
<BODY><BR>
<H1>Access Forbidden</H1>
<P>Access denied. Please click on the back button to return to the former page.</P>
</BODY></HTML>

 

[TheInsider]

Well, the server will never serve the 403 page because your site allows everyone to access everything. Unless you actually set a flag in the server telling it to deny directory browsing or setup security authentication on the server, the client will always be able to view the directory listing. If you were hosting this website on your own computer, and thus using IIS or Apache, I could tell you where to go to configure these options.

However, the situation you're in is difficult because you don't have access to the server, regardless of what type of server it is. Therefore, one of two possibilities exist for you. 1) your host was savvy enough to realize that customers might want to turn this feature off, so somewhere in your configuration software they've buried an option to do this. 2) They haven't provided you with a way to do this, so you'll have to contact them and see if they'll manually set it up for you.

One hack that may work for you is to simple place a default page in every folder. Most servers are configured to first look for a default.htm or default.html page whenever a client omits a page. For example, say your site is normally accessed like this:

http://www.tek-tips.com/theinsider/home.htm

Now, say you want to keep people from browsing /theinsider folder. Like so:

http://www.tek-tips.com/theinsider

If you place a default.htm or default.html page in /theinsider folder, then the above URL would cause the server to first look for default.htm, and since it's there, the server would send them that page instead of a directory listing. It's not the same thing as throwing the 403 error, but it prevents a directory listing.

Of course, that assumes your host's server is configured to act that way. IIS does this by default.

 

[sharkatek]

that DID it!!! I used your suggestion of the default.htm and that takes care of the problem. thank-you!

 

[TheInsider]

No problem. Glad to hear you got it working.

 

[johnwm]

If you want to drive a woodscrew and you don't have a screwdriver handy you can also use a hammer. However it would be a lot better and more professional to get a screwdriver.

Contact your webhost and find out how to turn off directory browsing. We are all supposed to be professionals here - the site is not designed for home users, which is what Dan was referring to.

___________________________________________________________
If you want the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller
Steam Engine Prints

 

[EdwardMartinIII]

f you place a default.htm or default.html page in /theinsider folder, then the above URL would cause the server to first look for default.htm, and since it's there, the server would send them that page instead of a directory listing. It's not the same thing as throwing the 403 error, but it prevents a directory listing."

Yep, that's what I do -- as well as an "index.htm" and "index.html". They all redirect back to the proper directory (although I could easily have them redirect to Dennis Nedry's "magic word" error from Jurassic Park, if I felt it was worth the effort).

I do that for my subdirectories, to keep people from randomly browsing my images or scripts, or (more importantly) my scratchpad folders, etc.

Edward

"Cut a hole in the door. Hang a flap. Criminy, why didn't I think of this earlier?!" -- inventor of the cat door

 

[sharkatek]

Thank-you johnwm and Edward. I'm using the default.htm and that's working great. It may be a wood screw hammered in, but it is easy and effective.

Diane

 

[TheInsider]

The truth is the latter solution is probably your only option. If your host already provided you with some mechanism to configure your website, then my guess is they probably won't allow for custom configurations.