Example of complete .htaccess file
Found in your root folder. use cPanel (file manager) or ftp to access.

Mastering .htaccess: A Complete Guide to Optimizing Your Website Configuration


Introduction to .htaccess: The Powerful Configuration Tool

The .htaccess file is one of the most versatile and powerful tools available for website configuration on Apache servers. Despite its modest appearance as a simple text file, it can dramatically transform how your website functions, from handling redirects and custom error pages to enhancing security and optimizing performance.

For website administrators, developers, and SEO professionals, understanding how to properly configure an .htaccess file is an essential skill that can solve numerous technical challenges and unlock new possibilities for your site. Whether you're running a personal blog, an e-commerce store, or a corporate website, mastering .htaccess will give you unprecedented control over your web server's behavior.

In this comprehensive guide, we'll explore everything you need to know about .htaccess files, with practical examples and clear explanations that will help you implement these powerful configurations on your own website.

Examining Our Example .htaccess File

Let's look at a complete example of a well-structured .htaccess file that incorporates best practices for various common scenarios:

# Security Headers
<IfModule mod_headers.c>
# Protect against clickjacking
Header always set X-Frame-Options "SAMEORIGIN"
# Prevent MIME-type sniffing
Header always set X-Content-Type-Options "nosniff"
# Enable XSS protection in browsers
Header always set X-XSS-Protection "1; mode=block"
# Control permitted sources for content
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://ssl.google-analytics.com https://www.googletagmanager.com https://cdnjs.cloudflare.com; img-src 'self' data: https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; connect-src 'self'; object-src 'none'"
# Restrict referrer information
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Permissions policy
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
</IfModule>

# Enable rewrite engine once
RewriteEngine On

# First, redirect www to non-www (keeping the HTTPS if present)
RewriteCond %{HTTP_HOST} ^www\.your-own-url\.com$ [NC]
RewriteRule ^(.*)$ https://your-own-url.com/$1 [R=301,L]

# Then, redirect any remaining HTTP traffic to HTTPS
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#RewriteRule ^sitemap.xml$ index.php?route=extension/feed/simple_google_sitemap [L]
RewriteRule ^sitemap.xml$ index.php?route=extension/feed/google_sitemap [L]

ErrorDocument 404 /404.html

Redirect 301 /about_us /about-us

# Block access to sensitive files
<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|tpl|twig|log|swp)|~)$"><!robots)\.txt))">
Order allow,deny
Deny from al
Satisfy All
</FilesMatch>

# Prevent Directoy browsing, listing
Options -Indexes
Options +FollowSymlinks
# protect .htaccess and .htpasswd

# Disable server signature
ServerSignature Off

# IP Blocking
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
# Add your IP addresses to block here
# Require not ip 123.45.67.89
# Require not ip 98.76.54.32
</RequireAll>
</IfModule>

# For older Apache versions
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
# Add your IP addresses to block here
# Deny from 123.45.67.89
# Deny from 98.76.54.32
</IfModule>

# Browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/webp "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 2 days"
</IfModule>

# Enable GZIP compression (also edit php.ini)
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/x-javascript text/javascript
</IfModule>

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/opentype

# For Olders Browsers Which Can't Handle Compression
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>
# Or, compress certain file types by extension:
<files *.html>
SetOutputFilter DEFLATE
</files>

What Is an .htaccess File?

An .htaccess (Hypertext Access) file is a directory-level configuration file supported by several web servers, most notably Apache. It allows you to make configuration changes on a per-directory basis without requiring access to the main server configuration files. This makes it an invaluable tool for website owners who may not have root access to their server but still need to implement specific server configurations.

The file works by providing directives that affect the directory it resides in and all sub-directories. When a client requests a resource from your server, Apache checks for .htaccess files in each directory from the root to the requested resource's directory, applying the directives it finds along the way.

Why Your Website Can Benefit From a Well-Crafted .htaccess File

Before diving into the technical aspects, let's understand the key benefits of implementing a proper .htaccess file:

  1. URL Management and Redirection: Create clean, SEO-friendly URLs and handle redirects from old pages to new ones, preserving link equity.
  2. Enhanced Security: Protect sensitive files, block suspicious IP addresses, prevent directory browsing, and implement password protection for specific areas.
  3. Performance Optimization: Enable browser caching, compress files, and control resource loading to speed up your website.
  4. Custom Error Handling: Create user-friendly custom error pages that improve user experience and retain visitors.
  5. SEO Improvements: Implement canonical URLs, handle www vs. non-www versions of your site, and manage duplicate content issues.
  6. Content Control: Define specific content types, character sets, and control how your server handles various file formats.
  7. Server Resource Management: Limit resource usage to prevent server overload and maintain stable performance.