Kirby 2.3 show files in my directory?

In Kirby 2.2 on my server

Screenshot below…

In Kirby 2.3 on my localhost after upgrade:

Screenshot below…

I feel much better with having it Forbidden. The htaccess files seems to still be the same. I copied the new htaccess file in anyway, no difference.

Is it a new bug or a new feature?

That should not happen. I tested this on a Kirby nightly and am properly redirected to the start page.

I also used nightly. Hmm, maybe it’s just my localhost environment. I’ll test this again in the real server after I’ve fixed all the issues on the site with 2.3. Thumbnails are messed up almost everywhere…

Thanks for testing!

First Sorry to bump this!

@jenstornell were you able to confirm this is only happening on a local dev? and not live? I’m getting ready to push my dev live and ran across this.

I’ve attached a PDF to download on one of my pages, clicked the link opened it up and traversed back up the url and I get the directory listing. If I click on the default.txt it throws a kirby error.

(file: lance-nickel-resume.pdf text: Download Resume)

I just re downloaded the latest kirby 2.4.1 and uploaded the new htaccess and results still the same. Am I missing something?


Ok I bumped this because I had the same issue and I prematurely deleted it because I saw @jenstornell’s issue was on his dev. BUT, I’m getting the same issue on a LIVE server. My directories are open. How do I prevent that from happening?

Thank you!!!

Directory indexes are usually protected by Apache server settings.

You can try to put this into your .htaccess:

Options -Indexes

thank you!!

Cool that took care of it for me with an access denied page. I set a redirection within the hosting panel for any access to the content url.

@lance1572 @texnixe

I can confirm 3 things:

  1. It was not just my localhost. I moved that site to a another host. Now I had the same problem.
  2. The solution with Options -Indexes worked perfectly even for my site. :slight_smile:
  3. Security is important. That’s why I also added it to my Kirby htaccess rules repo.

How many hosts are setup like this? If it’s like 50%, I think maybe Options -Indexes should be added to the htaccess file as default, because of security reasons. What do you think of that?

1 Like

It’s a typical case where I’m not sure if it really makes sense to put it in our htaccess. Public servers should never be setup to have index listing enabled. If we take care of all such potential configuration issues, the htaccess would be huge and we’d be responsible for all possible additional issues in our setup suggestion. Normally the responsibility for this is clearly on the sys admin side and not on the CMS side. But of course we want to help to keep people’s websites safe. It’s complicated.

1 Like

My suggestion is to put that information into the security part of the docs (securing your site). But move the security docs further up the tree instead of hiding it in the developer section, maybe integrate it in the installation section.


Some time ago here in the forum was discussed to add a new page in the panel to show informations for the admin role in the panel with configuration errors and hints for security.

What do you think about this?


I see your point of view and you are probably right about it. :slight_smile: Just to have a second opinion I asked my host provider about what they think about it and this is a short version of their reply (Google Translate):

Some customers want the directory listing and some do not want it, so therefore we have it from the beginning […] We will take up a discussion internally if we are to turn the global directory listing or continue to have it enabled.

I can also add that this is one of the most trusted and respected hosting providers in Sweden and I use their shared hosting service.


Good idea. :slight_smile: The only problem with it will probably be for people to actually read it and make their site secure. I mean, it’s boring reading for most people and most people only read exacty what they need to have it setup and working.


Yes, but maybe that would result in the same problem as Bastian talked about? I mean a checklist for security errors could end up will false positives, because it will not be possible to cover every single security hole on the environment. Just by installing a plugin Kirby could possibly be hacked. Therefor I think it’s a bad choice to have it build in.

  1. Endless job to keep it updated, unlimited possible security problems.
  2. If it says a big green “OK”, then I will think my site is safe while it might not be.

However I think it would be great if someone really dedicated to this would like to make it as a plugin.

… at

Yes, I agree.

Having a page in the panel does not help people who do not use the panel.

But honestly, people should read the docs. I think there is a certain responsibility you simply have as a developer, especially when doing client work. Setting up the server in the right way is only part of the job. Getting forms right without sacrificing security another. And a lot more stuff.

1 Like

I have read serveral new users posts, who know nearly nothing from the docs and from this forum.

If the Kirby team provides such a team solution, many issues here would be solved by installing like @jenstornell’s idea (or like my idea). This would avoid or shorten many silly questions here… :slight_smile:

How do you think?

@jenstornell’s idea of a plugin makes an update of the plugin independent from the time of the next Kirby update!

A plugin will have the same issues, will have to be updated all the time, is even less likely to be updated regularly as an inbuilt solution, the problem with false positives remains. And people would have to read the docs to know there is such a plugin and install it.

IMHO, it should not be Kirby’s job to ensure server integrity.

@jenstornell I’m a bit surprised your hosting provider does not turn directory listing off by default with an option to turn it on if needed for whatever reason, as this is definitely the safer option, considering that many people are not even aware of it.

1 Like

For the public perception of a CMS I think

is very important or can prevent potential decision-makers from using Kirby.

Look for security holes of other CMS in the internet and the IT forums…

How do you think?

I can tell you that most of the popular hosting providers here in the States have directory listing turned on by default.

@anon77445132 there is not such thing as silly or dumb question.

In this case, it was not in the docs and I read the docs. Coming from WP, this is already set in the htaccess. I’m not saying it needs to be set in Kirby but for some of us who aren’t that technically savvy when it comes to sys admin process, there should be some mention in the docs. Possibly somethings Kirby does not do for you from the get go.

1 Like

@texnixe @anon77445132

it should not be Kirby’s job to ensure server integrity.

Alright. Just make it clear in the installation guide as you suggested and it will probably be fine. :slight_smile:

A plugin will have the same issues

Yes, if it’s a Kirby core plugin. I was thinking of a third party plugin approach. It would be different because:

  1. The responsibility for it would not fall down on the Kirby crew.
  2. Our expectations on a plugin is not at the same level as the core. We see it more like a helper tool than something we can trust completey.
  3. The plugin author can also add “We are not responsible for…” in a their docs.

As a third party plugin I think it could be neat. Better to get some advice than no advices at all. After all, not everyone is an experienced sysop. For example, I’m not, but I can build a website. :slight_smile:


I can tell you that most of the popular hosting providers here in the States have directory listing turned on by default.

The world divided in two different approaches. It still seems that we agree on that a installation guide including security steps is the way forward.

Third-party plugins still need to be maintained and it is even less likely that this happens with third-party plugins than with core plugins.
Also please note that many users don’t differentiate between “core” and “third-party”. They will see “Kirby security plugin”, stop reading and install it and be happy without realizing that having such a plugin might not even make their site more secure at all or even less secure.

Also note that you can’t reliably detect every possible security issue. Doing security right is the job of experienced professionals. It is also the job of good hosting providers but if your hosting provider does not do anything here it means that your responsibility is even larger. You can’t replace a professional with a quick security checking plugin.

1 Like