# Missing Access Restriction on Directory Listing

## Overview

* **Rule ID**: `javascript_express_exposed_dir_listing`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-548

## Description

Exposing a directory listing without restrictions can lead to unauthorized access to sensitive data or source code. This vulnerability occurs when the file structure of a server or application is made visible to users without proper access control, potentially allowing attackers to exploit the exposed files.

## Remediation Guidelines

* **Restrict access** to sensitive directories and files to prevent unauthorized access. Implementing access controls ensures that only authorized users can view or interact with specific file directories.

## References

* [**Express Serve index middleware**](https://expressjs.com/en/resources/middleware/serve-index.html)
* [**CWE-548: Exposure of Information Through Directory Listing**](https://cwe.mitre.org/data/definitions/548.html)
* [**OWASP Top 10: A01:2021 - Broken Access Control**](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)