/media/pages is accessible by everyone


Got pinged this morning by someone who spotted that ourdomain/media/pages is accessible by everyone.

How can I make sure it doesn’t happen?


Screenshot 2020-06-17 at 09.41.53|690x438

Add this in your .htaccess to prevent directory listings

 Options -Indexes 

Are you on shared hosting? This should actually be disabled by default.

If you have your own server, put this into the server configuration.

Awesome, thank you @texnixe!

If you are running your own server, and if it’s Apache on Ubuntu you can run the commands below to make the change to your apache2.conf file .
It will edit the configuration file and remove the word Indexes from the Options line.

sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf

You can learn more here:

Actually, this is like using a sledgehammer to crack a nut. Changing server-wide configuration is not always a good idea. Better do this in a virtual host configuration, or as @texnixe wrote in your main .htaccess file of the given site or create a new file .htaccess in your media folder and add only the line from @texnixe post above, which will turn off directory listing only for the media folder and below.

That’s not a good idea at all, because the media folder is basically a cache folder that is meant to be deleted any time, for example, when updating Kirby. The folder is then automatically recreated. Putting the .htaccess there would mean to think about recreating it every time you delete the media folder.

So the Kirby .htaccess or the vhost configuration are the best place for this. When I wrote server config, I actually meant the vhost config if available, but I admit the wording was wrong.

1 Like