The web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.

From Web Server Security Requirements Guide

Associated with: CCI-001312

SV-70289r2_rule The web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.

Vulnerability discussion

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end.Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.

Check content

Review the web server documentation and deployed configuration to locate all the web document directories. Verify that each web document directory contains a default hosted application web page that can be used by the web server in the event a web page cannot be found. If a document directory does not contain a default web page, this is a finding.

Fix text

Place a default web page in every web document directory.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.