Directory listing protection, blank index vs 404 vs 401

Question

In your opinion what is the best way to protect directory listing from external users?

Option 1: Blank index. This is the standar way that i have seen on several sites, it has te advantage of not showing anything but the disadvantage of implying that there is something there

Option 2: 404, send a fake 404 page and redirect, will this can cause problems with the webcrawlers?

Option 3: 401 error and redirection, this is similar to the blank index, except that it will show an "unauthorized" header, i think this will be a very bad option (because im implicity saying that there is something important inside), but i would like to hear your thoughts on this too

Thanks for your help if you know any other option that i might use please tell me as well

Answer 1

The 'best' way is to disable directory listing the server (this will normally cause a 403 error, see error 404 in the following list for discussion of information leakage)

The easiest way is a blank page (normally index.html or index.htm)

Other options with returning errorcodes:

• 403 (forbidden) is the default in apache httpd and i think this is better than a blank page.

• 404 is for 'not found' which is not the case here (could be used if nobody knows that the directory exists in order to prevent disclosure, but if ppl. know it exits it doesn't make any sense as its existance is already known) and

• 401 (authentication required) doesn't make any sense in any case

Other considerations

some browsers do not display custom error pages. If you want to provide a link to the main page (or somewhere else) a 'blank' page containing a link or a direct 301/302 redirect could be used.