Preventing Directory Listing – Apache
Using httpd.conf or .htaccess
Add the following lines in httpd.conf or .htaccess
Options -Indexes
IndexIgnore *
Add the following lines in httpd.conf or .htaccess
Options -Indexes
IndexIgnore *
Add the following lines to web.config:
<configuration> <location path="."> <system.webServer> <directoryBrowse enabled="false" /> </system.webServer> </location> </configuration>
http://msdn.microsoft.com/en-us/library/ff649337.aspx
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-br…
Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory.
Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all.
For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or subdirectories. The improper configuration of this task might result in the unexpected and unintended enabling of listing of directories which contain sensitive information.
Add the following line into section 1(Global Environment) of httpd.conf, this line will load the headers_module module, which provides directives to control and modify HTTP request and response headers.
LoadModule headers_module modules/mod_headers.so
After loading the headers_module module, add the following line into section 3(Main Server Config) of httpd.conf
Header edit Set-Cookie ^(.*)$ $1;Secure
Add the following code on the page
ini_set("session.cookie_secure", 1);
Add the following code on the page:
session_set_cookie_params(0, NULL, NULL, TRUE, NULL);
Add the following code when creating cookie:
setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);
https://www.owasp.org/index.php/SecureFlag
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php
Create Cookie by setting secure property true:
HttpCookie cookie = new HttpCookie('name'); cookie.Secure = True; cookie.Value = 'Value';
Add the following codes to web.config
<system.web> <httpCookies requireSSL="true" /> </system.web>
Create secure cookie by calling setSecure method, which allows cookie to be secure
Cookie newCookie = new Cookie("name","value"); newCookie.setSecure(true);
Add the following lines to web.xml file of the project to make the cookie secure.
<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>
When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.
When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.
If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if the browser supports this flag). As a result, even if a Cross-Site Scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.