Note, the user can find the directory location, by examining the source, therefore you must protect your directory by placing a default file inside it, which your server will always send when the directory is requested, e.g. index.html, otherwise a directory listing will be sent.
It is also possible on Unix systems, to just set the parent (or all) directory's permissions to rwx--x--x and all other files to rwxr--r--. The user cannot get directory listings, but can still access any files there. (Thanks to Mike Crawford for this last tip.)