10

I've disabled directory listings like so...

Options -Indexes

When I try and access a directory like this:-

www.example.com/secret/

I get a 403 Forbidden response.

However, I want a 404 Not Found response, so hackers can't guess my directory structure so easily. How would I do that?

Rik Heywood
  • 259
  • 1
  • 2
  • 6
  • http://en.wikipedia.org/wiki/Security_through_obscurity – ThatGraemeGuy Feb 28 '11 at 15:08
  • I realise that, but there is no point in making it easy for anyone, especially as it takes so little effort to make it harder. – Rik Heywood Feb 28 '11 at 17:22
  • @ThatGraemeGuy from the wiki, it says "_...advise that obscurity should never be the **only** security mechanism"_. So it isn't advised against but just that you should secure your systems in other ways as well. – RisingSun Oct 05 '21 at 19:54
  • @RisingSun clearly it was. Obscurity is randomising the folder name. Security denies access (which it has). But we should not be spilling our guts to strangers. – mckenzm Dec 09 '21 at 05:46

5 Answers5

9

Enable mod_rewrite and AllowOverride in /secret. Then create .htaccess:

RewriteEngine On
RewriteBase   /secret
RewriteRule   ^$ - [R=404,L]
ooshro
  • 10,874
  • 1
  • 31
  • 31
3

I've looked around the internet for an answer to a similar problem. While mod_rewrite is a possible solution, I find the best solution uses the "RedirectMatch" directive.

See StackOverflow: Problem redirecting 403 Forbidden to 404 Not Found

Community
  • 1
Kevin
  • 63
  • 4
1

Create a custom 403 script that returns an 404 error instead.

For example, in PHP:

<?php
header("HTTP/1.0 404 Not Found");
die("<h1>404 Not Found</h1>");
?>

Now configure Apache to use this script for 403 results:

ErrorDocument 403 /403.php

No messing with rewrites and it instantly works for the whole server.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
  • Won't this still display as a 403 for people scraping the server? – DevOpsSauce Aug 14 '18 at 16:04
  • 1
    No. The server will answer with a correct 404 error due to the `header()` command. – Gerald Schneider Aug 14 '18 at 17:10
  • -1, because your custom error message might be != your server error message (be it nging or apache or whatever). This is the last solution if there is no way to configure your server or to use .htaccess files. Additionally this solution will not prevent you from DirBustering your website, because you still can distniguish such "custom error messages" from server error messages. – Awaaaaarghhh Mar 18 '20 at 19:56
  • @Awaaaaarghhh Customised 404's are very common nowadays, and there is never to be an expectation that everything is served from one server anyway (CNAME). – mckenzm Dec 09 '21 at 05:49
0

My solution to stop displaying directory's content as list and display 404 error is simple. Create .htaccess file in root directory of your project and write which directories should be protected.

Directories structure

- your_root_directory
  - .htaccess
  - 404.html
  - index.html 
  - app
    - other files I do not want to show
  - models
    - other files I do not want to show

.htaccess

RewriteEngine On
RewriteRule   ^app/ - [R=404,L]
RewriteRule   ^models/ - [R=404,L]

ErrorDocument 404 /your_root_directory/404.html

The second line of .htaccess disallow access to list items in app directory and all its subridectories.

The third line of .htaccess disallow access to list items in models directory and all its subridectories.

The fourth of .htaccess line sets our own 404 error (if you do not want to show apache default error).

Remember to clear cache on your browser when you work with htaccess.

No name
  • 1
-2

Use .htaccess to mask errors. See this guide:

http://www.tarahost.net/pages/web-design/29371.php

ed209
  • 392
  • 1
  • 5
  • 3
    Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. This link is now dead and thus this answer is now useless – Mark Henderson Sep 26 '13 at 07:46