How to prevent navigation via browser URL to my sites' "/content" directory?

I recently realized that it is possible for anyone to navigate to my site’s /content directory by simply adding “/content” to the end of my website domain:

I tried preventing this by creating a content.php template and adding:
<?php if (!$site->user()) go('/') ?>
…which had worked great for preventing navigation to other directories (like where I am storing blog comments, wherein it re-routes automatically back to my home page), but is having no effect for “/content”!

I tested if any of the sites on Kirby’s “Showcase” could be navigated to their “/content” directory, but they can’t; instead they throw me a 403 page… which would be great if I could get mine to do that! The question is how?

This is important especially because it is affecting my Google Search Console results negatively. My Google Search Console account alerted me to this issue when it said this content directories had too small of type, for which it punishes my site as a whole within Google search result listings! See below

Any help will be accepted with open arms! Thanks in advance!

I think this is not expected behavior.
As far as I know .htaccess takes care of protecting directories.

You could add this line to your .htaccess if you are using that file.

Options -Indexes

the content folder is not a page that is rendered anywhere, creating a template for it doesn’t make sense. And if indexing is not disabled, the same is true for the assets folder as well.

Usually, a server should actually by default be configured so that is doesn’t allow directory indexing. But unfortunately, that is not always the case.

1 Like

Found some articles about the topic:

Not sure if it’s updated though (they doesn’t address any specific version of kirby).

Thank you both @texnixe and @heyallan! :grinning:

@texnixe I used your suggestion to add Options -Indexes into .htaccess and it worked great.

However it is important to note that my .htaccess file already contained a line that should have been preventing my issue (but which was apparently not doing its job):
# block text files in the content folder from being accessed directly
RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]
which is specifically mentioned in one of the Kirby articles shared by @heyallan.

Not sure if this is a Kirby bug that it wasn’t working?

No, that rule only sends all requests to txt files within the content folder through Kirby’s router, it doesn’t prevent directory listings.

Another way to prevent directory listings is to put index.html files into each folder, but in this case I’d use the .htaccess setting since you need the .htaccess anyway.

1 Like