Information
The autoindex module processes requests ending with the slash character. This feature enables directory listing, which could be useful in attacker reconnaissance, so it should be disabled.
Rationale:
Automated directory listings may reveal information helpful to an attacker, such as naming conventions and directory paths. Directory listings may also reveal files that were not intended to be revealed.
Solution
Perform the following to disable the autoindex module:
Search the NGINX configuration files (nginx.conf and any included configuration files) to find autoindex directives.
egrep -i '^s*autoindexs+' /etc/nginx/nginx.conf
egrep -i '^s*autoindexs+' /etc/nginx/conf.d/*
Set the value for all autoindex directives to off, or remove those directives.
Default Value:
This module is not enabled by default.