Server side data leaking in directories

Hello,

How can I keep directories on my site from displaying server side info?

In general, is there’s a jekyll hardening guide or something we can reference?

Nothing special when deployig the site just:

$ jekyll serve

I believe that is a webrick server thing which jekyll uses to serve the site - are you using it like this in production? I find it helpful when doing development, but certainly wouldn’t want it in production. I don’t use jekyll in production so it is no problem for me.

To get it to stop doing that I think you need to turn off directory browsing in webrick somehow.

To add more info - I think that you get the directory listing when a page is not found, rather than an error/ page not found, since I don’t think jekyll/webrick handles page not found.

has this line:

show_dir_listing: false maybe adding that into your config will work?

Thank you for your response!

Just tried adding show_dir_listing to my config and redeployed the server, but it didn’t work; still see the WEBrick info :cry:

did you have the false part on the end?

Yes, I did include the false switch.

huh. I just tried it on my site, and the only way I can get the directory listing is if I do
show_dir_listing: true without that setting it never shows, not even on page not found so I was wrong on my original post.

what version of jekyll?

what is your permalink setup? mine is to not show index.html - so /support/ would be my support page. With show_dir_listing: true that url shows the directory listing for some reason.

Right, forgot to mention the link I’m viewing is:

http://website.com/books/

Where the books dir is in the root of the site.

permalink in the config is simply set to date, this was the default set by the theme I’m trying out.

Jekyll version is 3.6.3 in Arch. Everything is upto date in latest versions.

Thanks again, appreciate you holding my hand thru this thus far.

ok, now I see the same thing as you do - that setting does not seem to stop it. Took me a minute to figure out how to reproduce it, apparently you need a directory without an index.html, but with other files/directories?

do you have an idex.html file at /books/?

:smiley:

Adding a blank index.html to the books directory solves the issue. Thank you so much!

haha - good, love the easy fix, I think you could also use something else to serve rather than jekyll, and then you could have more control over the server settings.

as for that setting, I found:

“show_dir_listing” => ["–show-dir-listing",
“Show a directory listing instead of loading your index file.”,],

which kind of sounds like that setting is the opposite of what I thought - if there is an index, don’t show it, show a directory list instead.

Is it possible to PM here? This site is overkill with the JS i(n my opinion), I got a headache looking for a messaging system.

Any chance you use ricochet? https://ricochet.im

Just have a few (basic) jekyll/server questions for you unrelated to this particular topic.Would love to pick your brain.

If not, thanks again. You were extremely helpful.

ha ha, if you click on a users icon you can send a message - i think.

Not on ricochet, happy to help if I can, though I am at work so not always a quick response. I would just post in here a list of questions, people are pretty friendly, and while I may have been helpful others know much more than I do.