Directory listing functionality is enabled by default on many web servers. And, depending on your host, it will be more or less easy to deactivate it.

The following test is performed on a localhost server where it is enabled by default. If someone wants to see the contents of our module directory, they just have to fill in their path in their browser. He will then be able to access the list of PHP files and therefore search if some contain security vulnerabilities.

In my case, the URL is:

http://localhost/prestashop/modules/welcome/

If I enter it in the address bar of my browser, the screen in the figure below is displayed:


In order to modify this behavior, add an index.php file in each directory. In

in our case, it will be in the following directories:


• /modules/welcome/

• /modules/welcome/anyfolder/


You can leave the index.php files empty or fill them with the following code:

<?php
header("Location: ../");
exit;

If you administer the web server, you can also choose to disable this option

or use an .htaccess file to disable this feature.

Pass your module back to the validator: the number of errors in the Security section should have

decreases.