.htaccess Generator
Build Apache .htaccess rules — redirects, security headers, caching, and more.
Select rules to include
# Generated .htaccess
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Enable Gzip
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/css
AddOutputFilterByType DEFLATE application/javascript application/json
AddOutputFilterByType DEFLATE application/xml text/xml
AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>
# Browser Caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType text/html "access plus 1 hour"
</IfModule>.htaccess Generator — What It Does
Select the rules you need — HTTPS redirect, www canonicalization, gzip compression, browser caching, security headers, hotlink protection, custom error pages — and copy the generated .htaccess block. No need to memorize Apache mod_rewrite syntax or directive names.
Common .htaccess Rule Categories
- Redirects — 301/302 redirects, HTTPS enforcement, www/non-www canonicalization
- Compression — mod_deflate gzip for HTML, CSS, JS, JSON, SVG
- Caching — Cache-Control and Expires headers by file type
- Security — Disable directory listing, block bad bots, security response headers
- Error pages — Custom 404, 403, 500 error documents
Essential .htaccess Snippets
Options -Indexes— Disable directory listingErrorDocument 404 /404.html— Custom 404 pageHeader always set X-Content-Type-Options "nosniff"— Prevent MIME sniffingExpiresActive On+ type-specific rules — Browser cache control
Common Mistakes
- Missing RewriteEngine On — All mod_rewrite rules require this directive; forgetting it causes all rewrites to silently fail.
- Redirect loops — When redirecting HTTP to HTTPS, always check
'%{HTTPS} off'first to avoid an infinite loop. - File permissions — .htaccess must be readable by the web server user (typically 644); too-restrictive permissions return a 403.
- Not applicable to Nginx/Caddy — .htaccess is Apache-only; other servers use their own config formats.
Frequently Asked Questions
- What is an .htaccess file and where does it go?
- .htaccess is an Apache web server configuration file that controls directory-level settings without requiring access to the main server config. Place it in the root of your website (same directory as index.php or index.html). Rules apply to that directory and all subdirectories unless overridden.
- How do I force HTTPS with .htaccess?
- Add a RewriteRule that redirects all HTTP traffic to HTTPS: RewriteEngine On, RewriteCond %{HTTPS} off, RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]. The 301 status code tells browsers and search engines this is a permanent redirect, transferring SEO link equity.
- How do I redirect www to non-www (or vice versa) with .htaccess?
- To redirect www to non-www: RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC], RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]. For non-www to www: RewriteCond %{HTTP_HOST} !^www\. [NC], RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]. Pick one canonical form and use it consistently for SEO.
- How do I enable gzip compression in .htaccess?
- Use mod_deflate: AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json. Gzip typically reduces HTML/CSS/JS file sizes by 60–80%, significantly improving Time to First Byte and page load speed for visitors on slow connections.
- What security headers can I set in .htaccess?
- Key security headers include: X-Content-Type-Options: nosniff (prevents MIME sniffing), X-Frame-Options: SAMEORIGIN (prevents clickjacking), X-XSS-Protection: 1; mode=block (legacy XSS filter), and Referrer-Policy: strict-origin-when-cross-origin. For modern sites, also add Content-Security-Policy to restrict resource loading.