Securing browsable directories?

Many Nextcloud directories seem to be browsable without authentication.
The entire /apps directory is accessible externally without providing credentials.
Is this expected - is there a standard way to block access to these folders?

NextCloud V13.0.6
PHP 5.6.39
Centos 7.5.1804

Just checked - 403 Forbidden.
Try to check your Web Server config, e.g. Exampl for Apache2, or ngnix