If using cloud buckets, strictly enforce Identity and Access Management (IAM) policies. Ensure buckets containing user data are explicitly set to "Private" and use pre-signed, time-limited URLs for legitimate access.
Disabling directory browsing in the server configuration (for example, using Options -Indexes file for Apache servers) is a standard security practice. Robots.txt: robots.txt parent directory index of private images free