Many Nextcloud directories seem to be browsable without authentication.
The entire /apps directory is accessible externally without providing credentials.
Is this expected - is there a standard way to block access to these folders?
NextCloud V13.0.6
PHP 5.6.39
Centos 7.5.1804
Just checked - 403 Forbidden.
Try to check your Web Server config, e.g. Exampl for Apache2 https://docs.nextcloud.com/server/15/admin_manual/installation/source_installation.html#apache-web-server-configuration, or ngnix https://docs.nextcloud.com/server/15/admin_manual/installation/nginx.html