Log into your Synology, QNAP, or Asustor device. Go to Control Panel > File Services. Look for FTP or WebDAV settings. If "Anonymous Access" is enabled, your DCIM is public.
While viewing public directory listings is not inherently illegal, what you do with the information can be.
Apache: Disable directory listing.
Open your .htaccess or httpd.conf.
Add this line: Options -Indexes
If you need the folder to exist, add an index.html file that redirects to the homepage or shows a "403 Forbidden" message.
Nginx: Locate the server block for your site.
Set: autoindex off; (This is usually default, but check you didn't set on for a specific location). index of dcim
IIS (Windows): Open IIS Manager > Select your site > Double-click "Directory Browsing" > Click "Disabled" (Top right).
To understand index of, you need to understand how web servers work.
When you visit a normal website (e.g., www.example.com), the server looks for a default file like index.html, index.php, or default.asp. The server loads that file, and you see a beautiful webpage. Log into your Synology, QNAP, or Asustor device
However, if you visit a directory (folder) on a server that does not have an index file, and if the server's configuration allows directory listing, the server will simply show you a plain-text list of everything inside that folder. This is the "Index Of" page.
What an "Index Of" page looks like:
Index of /backup/photos
In this raw state, there is no login screen, no password prompt, and no branding. It is a direct window into the server's file system.
When you combine "Index Of" with "DCIM", you get a catastrophic privacy failure: A web-accessible, searchable list of someone's camera roll.
You might think, "Who would put their private photos on a public server?" The answer: millions of people, usually by accident. Index of /backup/photos