When a visitor goes to your site, say http://www.example.com/foo, if the webserver doesn't find a file like "index.html", "index.php", etc. in "foo", it will by default let the visitor browse your directory tree. Personally, I think that this should be OFF by default, and only enabled if you really want people to freely browse your files. But, it is easy to turn off. All you have to do is place the following line in your .htaccess file:

Options -Indexes

If you place this in the .htaccess at the root directory of your site, it will automatically apply to all directories underneath. Then, if there are directories you want people to browse, you can enable them by placing an .htaccess in the particular directory with:

Options +Indexes

If you only want to block access to certain files, you can do that with:

IndexIgnore *.php *~

(This example blocks the listing of .php and *~ [backup] files.)

I was a little surprised to find that my webhost didn't set "Options -Index" by default, so it's a good thing to check.

I've been picking up a few things about securely running PHP apps while getting the site up and running. I am by no means a PHP security expert, but I thought I'd write down the things I've found out so far so I can find them again when I forget. The first big thing that bothered me was that I had to make all my files world-readable to get anything to work. This bugged me, so I searched around a while for a better way to do it.