A common filename for such a page is
default.asp) even though it may be more appropriate to still specify the HTML output (
index.html.aspx), as this should not be taken for granted. An example is the popular open source web server Apache, where the list of filenames is controlled by the
DirectoryIndex directive in the main server configuration file or in the configuration file for that directory. It is possible to not use file extensions at all, and be neutral to content delivery methods, and set the server to automatically pick the best file through content negotiation
If the server is unable to find a file with any of the names listed in its configuration, it may either return an error (usually 403 Index Listing Forbidden or 404 Not Found) or generate its own index page listing the files in the directory. Usually this option, often named
autoindex, is also configurable.
A scheme where web server serves a default file on per-subdirectory basis has been supported as early as
welcome.htmlin addition to the NCSA-originated
In cases where no known
index.* file exists within a given directory, the web server may be configured to provide an automatically generated listing of the files within the directory instead. With the Apache web server, for example, this behavior is provided by the mod_autoindex module and controlled by the
Options +Indexes directive in the web server configuration files. These automated directory listings are sometimes a security risk because they enumerate sensitive files which may not be intended for public access, in a process known as a directory indexing attack. Such a security misconfiguration may also assist in other attacks, such as a path or directory traversal attack.
When accessing a directory, the various available index methods may also have a different impact on usage of OS resources (
Proceeding from fastest to slowest method, here is the list:
- using a static index file, e.g.:
- using a web server feature usually named autoindex (when no index file exists) to let web server autogenerate directory listing by using its internal module;
- using an interpreted file read by web server internal program interpreter, e.g.:
- using a CGI executable and compiled program, e.g.:
- "mod_dir - Apache HTTP Server". httpd.apache.org. Retrieved 2014-05-30.
- ASF Infrabot (2019-05-22). "Directory listings". Apache foundation: HTTPd server project. Retrieved 2021-11-16.
- "WWW-Talk Apr-Jun 1993: NCSA httpd version 0.3". 1997.webhistory.org.
- "NCSA HTTPd DirectoryIndex". January 31, 2009. Archived from the original on January 31, 2009.
- "Change History of W3C httpd". June 5, 1997. Archived from the original on June 5, 1997.
- "mod_dir - Apache HTTP Server Version 2.4 § DirectoryIndex Directive". httpd.apache.org. Archived from the original on 2020-11-12. Retrieved 2021-01-13.
- "NGINX Docs | Serving Static Content". docs.nginx.com. Archived from the original on 2020-11-11. Retrieved 2021-01-13.
- "Default Document <defaultDocument> | Microsoft Docs". docs.microsoft.com. Archived from the original on 2020-12-08. Retrieved 2021-01-13.
- "mod_autoindex - Apache HTTP Server Version 2.4". httpd.apache.org. Retrieved 2021-01-13.
- "core - Apache HTTP Server Version 2.4 § Options Directive". httpd.apache.org. Retrieved 2021-01-13.
- "IBM Docs". IBM. 2021-03-08. Retrieved 2021-05-07.
- "A6:2017-Security Misconfiguration". OWASP. Retrieved 2021-05-07.
- "Path Traversal". OWASP. Retrieved 2021-05-07.