on the server side. Do not trust client-side checks like JavaScript or hidden form fields.
Create a completely blank file named index.php or index.html and upload it directly into the folders you want to protect (such as /wp-content/uploads/ or /assets/ ). When a user or browser tries to view that folder, the server will load your blank file instead of displaying the folder contents. index of parent directory uploads install
are publicly accessible, exposing sensitive assets, installation logs, and potentially server configuration files to unauthorized users. on the server side