Directory Listing - CybseSec vulnerability problem

Currently reading
Directory Listing - CybseSec vulnerability problem

Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Hi there.

I have DS120j. Installed WEB Station, Apache 2.4 and PHP 7.2. All up-to-date as of 15.12.2020.

Although WEB Directory browsing is disabled by default (cannot list directories under /web/* - directory under my control), if I enter mysite/icons/ OR mysite /icons/small/ I get following response:


Is there ANY way to prevent this listing ?

CyberSec company execued a PEN SCAN and voila - SEVERE vulnerability.

Another question - what are the needed steps/tutorial to include X-Frame-Options DENY header in the Apache response ? This was rated as MEDIUM vulnerability.

All modifications should be permanent, so restart of my NAS won't overwrite these settings with it's defaults.
If you google 'apache hide icons folder' you will see it is due to the default setup of Apache. If you try to get a directory listing of a folder that doesn't have an index.html file you should receive a 403 error.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!