diff --git a/internal/httpd/httpd.go b/internal/httpd/httpd.go
index a0043e1b..8bb89af7 100644
--- a/internal/httpd/httpd.go
+++ b/internal/httpd/httpd.go
@@ -1047,7 +1047,7 @@ func getServicesStatus() *ServicesStatus {
 	return status
 }
 
-func fileServer(r chi.Router, path string, root http.FileSystem) {
+func fileServer(r chi.Router, path string, root http.FileSystem, disableDirectoryIndex bool) {
 	if path != "/" && path[len(path)-1] != '/' {
 		r.Get(path, http.RedirectHandler(path+"/", http.StatusMovedPermanently).ServeHTTP)
 		path += "/"
@@ -1057,7 +1057,11 @@ func fileServer(r chi.Router, path string, root http.FileSystem) {
 	r.Get(path, func(w http.ResponseWriter, r *http.Request) {
 		rctx := chi.RouteContext(r.Context())
 		pathPrefix := strings.TrimSuffix(rctx.RoutePattern(), "/*")
-		fs := http.StripPrefix(pathPrefix, http.FileServer(root))
+		handler := http.FileServer(root)
+		if disableDirectoryIndex {
+			handler = neuter(handler)
+		}
+		fs := http.StripPrefix(pathPrefix, handler)
 		fs.ServeHTTP(w, r)
 	})
 }
diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go
index 70c4b298..28697d8f 100644
--- a/internal/httpd/httpd_test.go
+++ b/internal/httpd/httpd_test.go
@@ -24269,7 +24269,7 @@ func TestStaticFilesMock(t *testing.T) {
 	req, err = http.NewRequest(http.MethodGet, location, nil)
 	assert.NoError(t, err)
 	rr = executeRequest(req)
-	checkResponseCode(t, http.StatusOK, rr)
+	checkResponseCode(t, http.StatusForbidden, rr)
 
 	req, err = http.NewRequest(http.MethodGet, "/openapi", nil)
 	assert.NoError(t, err)
diff --git a/internal/httpd/middleware.go b/internal/httpd/middleware.go
index 095b68a9..c8381ee1 100644
--- a/internal/httpd/middleware.go
+++ b/internal/httpd/middleware.go
@@ -386,7 +386,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
 			}
 			if k.Scope != scope {
 				handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
-				logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wnated: %d",
+				logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wanted: %d",
 					apiKey, k.Scope, scope)
 				sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden)
 				return
@@ -553,3 +553,14 @@ func checkPartialAuth(w http.ResponseWriter, r *http.Request, audience string, t
 	}
 	return nil
 }
+
+func neuter(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasSuffix(r.URL.Path, "/") {
+			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/internal/httpd/resources.go b/internal/httpd/resources.go
index edb78ee1..5d33fccd 100644
--- a/internal/httpd/resources.go
+++ b/internal/httpd/resources.go
@@ -23,6 +23,6 @@ import (
 	"github.com/go-chi/chi/v5"
 )
 
-func serveStaticDir(router chi.Router, path, fsDirPath string) {
-	fileServer(router, path, http.Dir(fsDirPath))
+func serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) {
+	fileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex)
 }
diff --git a/internal/httpd/resources_embedded.go b/internal/httpd/resources_embedded.go
index 73c619c7..41b2f672 100644
--- a/internal/httpd/resources_embedded.go
+++ b/internal/httpd/resources_embedded.go
@@ -18,16 +18,20 @@
 package httpd
 
 import (
+	"net/http"
+
 	"github.com/go-chi/chi/v5"
 
 	"github.com/drakkan/sftpgo/v2/internal/bundle"
 )
 
-func serveStaticDir(router chi.Router, path, _ string) {
+func serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) {
 	switch path {
 	case webStaticFilesPath:
-		fileServer(router, path, bundle.GetStaticFs())
+		fileServer(router, path, bundle.GetStaticFs(), disableDirectoryIndex)
 	case webOpenAPIPath:
-		fileServer(router, path, bundle.GetOpenAPIFs())
+		fileServer(router, path, bundle.GetOpenAPIFs(), disableDirectoryIndex)
+	default:
+		fileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex)
 	}
 }
diff --git a/internal/httpd/server.go b/internal/httpd/server.go
index a9905582..6db92f25 100644
--- a/internal/httpd/server.go
+++ b/internal/httpd/server.go
@@ -1237,7 +1237,7 @@ func (s *httpdServer) initializeRouter() {
 
 	if hasHTTPSRedirect {
 		if p := acme.GetHTTP01WebRoot(); p != "" {
-			serveStaticDir(s.router, acmeChallengeURI, p)
+			serveStaticDir(s.router, acmeChallengeURI, p, true)
 		}
 	}
 
@@ -1434,7 +1434,7 @@ func (s *httpdServer) initializeRouter() {
 		if s.renderOpenAPI {
 			s.router.Group(func(router chi.Router) {
 				router.Use(compressor.Handler)
-				serveStaticDir(router, webOpenAPIPath, s.openAPIPath)
+				serveStaticDir(router, webOpenAPIPath, s.openAPIPath, false)
 			})
 		}
 	}
@@ -1442,7 +1442,7 @@ func (s *httpdServer) initializeRouter() {
 	if s.enableWebAdmin || s.enableWebClient {
 		s.router.Group(func(router chi.Router) {
 			router.Use(compressor.Handler)
-			serveStaticDir(router, webStaticFilesPath, s.staticFilesPath)
+			serveStaticDir(router, webStaticFilesPath, s.staticFilesPath, true)
 		})
 		if s.binding.OIDC.isEnabled() {
 			s.router.Get(webOIDCRedirectPath, s.handleOIDCRedirect)