Edit your server block:
location /
autoindex off;
To block parent directory access entirely:
location ~ /\.\./
deny all;
When directory indexing is enabled (autoindex), the server displays all files and subdirectories. Normally, the listing includes an entry like: index of parent directory exclusive
Parent Directory -
or
../
Clicking this takes you up one level.
An “exclusive” configuration means that link to the parent directory is removed from the listing.
Lighttpd’s mod_dirlisting can show parent links. You can configure templates or disable the parent link in the listing module configuration, or serve custom index files. Edit your server block: location / autoindex off;
In 2022, a mid-sized marketing firm hosted an "exclusive" client portal at https://firm.com/clients/exclusive/2024/. While the main login page was secured, a developer had created a subdirectory https://firm.com/clients/exclusive/2024/_backups/ and forgot to disable indexing.
A security researcher using the query "index of parent directory exclusive" _backups discovered: To block parent directory access entirely:
location ~ /\
The firm received a responsible disclosure and fixed the issue within 48 hours, but the lesson remains: One open parent directory can undo every other security measure.
The simplest fix: Place an empty index.html or index.php file in every directory you wish to hide.