Ensure the autoindex directive is set to off; inside your server block.
Many popular web servers, including Apache and Internet Information Services (IIS), traditionally shipped with directory browsing turned on by default. If an administrator deploys a server without hardening its security settings, the directories remain open to the public. Flawed Content Management System (CMS) Plugins parent directory index of private images
Automated scripts can download entire directories in seconds, feeding private imagery into facial recognition databases or public forums. Ensure the autoindex directive is set to off;
If you are a website owner or system administrator, finding this article might be your first warning. Here is how to ensure your "private images" stay private. parent directory index of private images