Community

Prevent File Browsing

I’ve got some sites that allow file browsing of the /assets/ folder. I’ve got other sites that do not allow this and present a 403 error. I’ve been comparing the various sites and cannot determine what is different about them. Some are on the same shared hosting service, same version of Modx, PHP, etc. and yet one allows it one does not. I’ve compared .htaccess files and find no differences that seem relevant.

I know this seems like kind of a basic issue, but I’m just not seeing it.

Any thoughts?

Do you have any media sources set up?

Thanks Ryan

No media sources. I’ve checked multiple sites on a variety of servers on a variety of modx versions, (all 2.6.5 or greater). Some sites allow it, some do not. It’s not an isolated situation. So I’m thinking it’s a configuration problem somewhere, e.g. missing/wrong .htaccess statement, missing index.html, etc.

Perhaps restrictive file permissions/file owners, or open_basedir restrictions while the folder in question contains a symlink (of the file type) to outside the basedir?

Perhaps I should clarify. I’m talking about being able to navigate the assets folder structure via a browser on the front-end. So the URL www.domain.com/assets/ will list all the files and folders within the assets/ directory and enable a user to navigate down to all folders.

So I’m trying to prevent this on those sites where this is possible. Again, not just a single site but several installations.

1 Like

Ah. That has nothing to do with MODX but is an Apache feature.

To disable it you can add this in your .htaccess file:

Options -Indexes
3 Likes

Thanks!

I suspected it was an apache thing. I’d googled it, tried a few things, but didn’t hit on the right thing.

So one more question. When I added this to one of my sites it goes to the mod-defined error page. On a couple of other sites, it produces a 403. Any idea how to get it to go to the error page defined in Modx? Again, I can’t tell what’s different.