Why is "Options Includes Indexes" Enabled by Default in Apache?

Question

I was curious as to why Options Includes Indexes is generally enabled by default in Apache configurations.

Anyone know why this is, as it's generally frowned upon for security reasons?

Answer 1

Tradition?
Because it's always been that way?
Because the Apache project doesn't want to break existing sites?
Because you should really be reviewing your configuration before starting the server?

All of the above.

---

Some notes on the directives in question

Server-Side Includes (Includes) are generally frowned upon, particularly as there are better ways to generate dynamic content these days. If none of the content on your server uses them you have no real security risk exposure. Best practice is to turn them off in case someone manages to compromise your machine and uploads a page that uses them to do something nasty.

The bare Includes directive that Apache ships with is particularly bad in this regard as it allows you to execute programs (as the Apache user) as part of SSI directives. If you MUST have Server-Side Includes enabled you should evaluate whether you need the capability to run programs, and if not you should use IncludesNOEXEC in place of the bare Includes directive.

---

Automatic Index Generation (Indexes) are an information disclosure vulnerability: If there is no index file the server will happily list everything in the directory (including a link to .. to let you browse back up the tree).
Because of the directory-browsing link there's also the risk that a badly configured server will let users browse their way out of the web root and read something sensitive like /etc/passwd.

Having Indexes enabled isn't really much of a security risk if your server is configured properly (no sensitive information hanging around in the web root, no ability to browse your way out of the web root), and it can be a great thing for file servers (you don't have to maintain an index by hand), but if you don't need to generate automatic indexes turning it off is probably a good idea.

Do not rely on this as "security through obscurity" to protect you if your web server is poorly configured though: someone could still do http://example.com/../../../../../../../../etc/passwd for themselves on a system with suitably poor configuration choices.