CPanel defaults to listing indexes of directories!

S

SonLight

New member
Not sure where this should be posted, I think we should *warn* new webmasters that by default, their sites will display an index of the files in a folder if there is no index page stored there. I was surprised, I consider it a substantial security risk. Of course I may have a folder or two that I'd like to have auto-indexed, but I think security should be the default, convenience the explicit choice, in this case.

I have set the folders I have to "no index", but presumably I will need to fix each new folder I make, since I can't set that as the site default (as far as I know). Also, the feature seems to be limited to changing one folder at a time. It would be nice if CPanel would add the ability to "apply this to all subfolders" so I could do it in one shot.

It appears that the www folder was set up "no index" by default. I wondered if the assumption was that if you want a secure site you serve only out of www, and if so, do subfolders there automatically get "no index" status unless overridden?

At some point, it looks like I will need to read a good book about using cpanel if I want to apply best practices to my website.
 
Genesis

Genesis

Administrator
Staff member
Thanks for the feedback @"SonLight" . I know one can fix the directory security in the cPanel as you do too, but was unaware that cPanel could be set up differently so there are no file directory shown by default - like wouldn't that provide a problem in reverse? I've had hosting from other providers, including premium providers too, and haven't seen it different yet. I'd be interested to know how one sets the directory by default so if you know of a different way cPanel needs to be set up let us know. I'll then bring it to the attention of @"un4saken"
 
S

SonLight

New member
I think a warning about potential insecurity is the minimum we should try to provide, just consider that feature when documentation is updated.

Overkill to forbid by default? There is a site-wide option, which I think can be set to forbid auto-index by default. If that were set, and new folders were created with the 'site default' choice (actually I'm not sure of the details) then sites would be more secure unless the site webmaster chose to overrule it. But suppose gigarocket forbid all auto-indexing without allowing an override. There could still be scripts loaded as web pages which could produce a similar index, and you could provide options like index all files of type x or all except type y.
 
You must log in or register to reply here.