location /private autoindex off; # Alternative: Force a 403 error return 403;
| Query | What it finds | | :--- | :--- | | intitle:"index of" "database" | Open DB dumps | | intitle:"index of" "passwords" | Plaintext password files | | intitle:"index of" "ssh" | SSH keys | | intitle:"index of" "secret" | Misc sensitive folders | | -intitle:"index of" | Excludes directory listings (useful for narrowing) | | "Index of /" "last modified" "parent directory" | The classic raw directory signature | While the Panama Papers were a data breach involving proprietary software, many smaller leaks occur precisely because of open directory indexing. In 2021, a major US healthcare provider exposed over 200,000 patient records because a directory named /private/patient_data had directory listing enabled. The folder was not linked from their main site—it was simply sitting there, waiting for Google to find it via intitle:"index of" private . intitle index of private
The internet is a library, but not every book is meant to be read by everyone. intitle:"index of" private is a call to lock the back door before someone walks through it. location /private autoindex off; # Alternative: Force a