A customer of ours had an issue with some paths like theirwebsite.com/images returning a 200 OK, and although the page was completely blank, and exposed no information it was detected as a positive indicator of exposed data, because of the 200 OK.
more detail: https://community.qualys.com/thread/16746-qid-150004-path-based-vulnerability
Actually in this case it was a ‘whitescreen’, or just a blank index page, to prevent the Options +indexes in the apache httpd configuration showing the images path. You probably don’t want this and can just set your Option indexes.
Change from:
Options +Indexes # in older versions it may be defined as Options Indexes
Change to:
Options -Indexes
This explicitly forbids, but older versions of apache2 might need this written as:
Options Indexes
To prevent an attack on .htaccess you could also add this to httpd.conf to ensure the httpd.conf is enforced and takes precedence over any hacker or user that adds indexing incorrectly/mistakenly/wrongly;
<Directory /> Options FollowSymLinks AllowOverride None </Directory>
Simple enough.