IndexIgnore * or Options -Indexes

Asked 27/12, 2012 at 23:27 Answered 27/3, 2024 at 19:56

I've always used Options -Indexes to disable directory listing through .htaccess. However, I have seen people using IndexIgnore * instead. What's the difference? Which is better than the other?

Manualmanubrium answered 27/12, 2012 at 23:27 Comment(0)

The IndexIgnore directive is a pattern where files in a directory that has Indexes turned on won't show up in the auto-index if they match the pattern.

Say for example, we have a directory, foo, and inside that directory, we have an .htaccess file, and 3 files, a, b, and c.

If in the htaccess file there is Options -Indexes, then by going to http://mysite.com/foo/, I will get a 403 Forbidden response, because there is no index file (index.html, index.php, etc) and auto-index is turned off via -Indexes.

If in the htaccess file there is IndexIgnore b, then by going to http://mysite.com/foo/, I will get an auto-index response listing the files, a and c. The b file will be missing because it has been ignored. If we have IndexIgnore * in the htaccess file instead, and we go to http://mysite.com/foo/, we'll get an auto-index file that is blank, since all files have been ignored.

As for which is better, it depends on what you want. They do fundamentally two different things. Do you want auto-indexes? If not, turn it off Options -Indexes. If so, leave it on. If you don't want some things to show up in an auto-index, then use IndexIgnore.

Theodolite answered 28/12, 2012 at 0:55 Comment(6)

So why do some people solely use IndexIgnore *? Wouldn't it be better to use Options -Indexes instead? – Manualmanubrium 28/12, 2012 at 1:4

Does IndexIgnore * display the index screen, but with no files then? – Manualmanubrium 28/12, 2012 at 2:45

@bungeshea Correct, you still see the auto-index page but with no files. – Theodolite 28/12, 2012 at 3:9

Thanks. Do you know if there are any performance differences? – Manualmanubrium 28/12, 2012 at 3:16

@bungeshea I don't have any benchmark numbers but I'm sure it is miniscule. – Theodolite 28/12, 2012 at 3:18

I am facing a problem where IndexIgnore * just doesn't work; Options -Indexes does. Do you know why? – Brockwell 18/1, 2017 at 10:53

There's one additional advantage of IndexIgnore * over -Indexes that's worth noting.

Sometimes it's necessary for automation to determine if a directory exists, via a GET or a HEAD request, but listing the contents of the directory would be a security issue. If you do a GET or HEAD on a directory, and have -Indexes turned on, Apache will return a 403.

However, if you put in a +Indexes, but turn on IndexIgnore *, directories that exist will return a 200 to a HEAD of GET response, but any files or directories within that directory will not be listed in a GET

Huzzah answered 27/3, 2024 at 19:56 Comment(0)

Recommended topics

Hot tags