When ran against default OpenBSD servers that have Apache enabled,
vulnerability assessment software (Nessus, Rapid7, etc.) complain about
"browesable web directories". The concern is that someone may
accidentally place inappropriate files in the web directories that will
then be visible to others. Would it be a good idea to remove the Indexes
option from httpd.conf? Admins may enable the option later if they like:
# cvs diff -Nup httpd.conf
Index: httpd.conf
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v
retrieving revision 1.26
diff -N -u -p httpd.conf
--- httpd.conf 3 Jun 2009 18:28:21 -0000 1.26
+++ httpd.conf 12 Mar 2010 17:39:06 -0000
@@ -396,7 +396,7 @@ DocumentRoot "/var/www/htdocs"
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
- Options Indexes FollowSymLinks
+ Options FollowSymLinks
#
# This controls which options the .htaccess files in directories can
@@ -601,7 +601,7 @@ CustomLog logs/access_log common
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
- Options Indexes MultiViews
+ Options MultiViews
AllowOverride None
Order allow,deny
Allow from all
