Date First Published: 31st July 2022
Topic: Web Design & Development
Subtopic: Web Applications
Article Type: Computer Terms & Definitions
Difficulty: AdvancedDifficulty Level: 8/10
Learn more about what a .htaccess file is in this article. This is the 300th article.
A .htaccess file is a plaintext file used by web servers that run Apache (web server software) that allows website owners to control the configuration settings and behaviour of their websites. Htaccess is short hypertext access. The .htaccess file is located in the directory that the settings are applied to. For example, if the .htaccess file was located in the root directory which contains the 'index.html' file, those settings would apply to the whole website, including all subdirectories. Multiple .htaccess files can be used to apply different settings to other directories of a website.
.htaccess files that are higher up in the file path will always overwrite the settings of the other .htaccess files. However, it is recommended to reduce the number of .htaccess files as too many configurations can slow web servers down. Each time Apache processes a client request for a file, it looks for a .htaccess file in the same directory and any directories preceding it.
By default, Apache is configured to prevent access to any file with a .htaccess extension through a web browser, making it impossible for anyone that does not have FTP access to view the .htaccess file of another website. Trying to view the .htaccess file of a website will usually result in a 403 error, meaning that access to the requested page is forbidden. This is because .htaccess files can contain sensitive information.
The .htaccess file of a website can be used to perform a wide range of functions, including:
Comments can be added anywhere to a .htaccess file by adding a hashtag (#) to the beginning of the lines. Comments are an easy way to describe the role of .htaccess rules. Avoid adding too many comments as this will cause Apache to take much longer to parse the file. The example below demonstrates a .htaccess file comment.
# This is a .htaccess file comment
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R,L]
Writing a .htaccess comment requires a whole line in newer versions of Apache. Adding non-blank characters before the hashtag sign will cause server errors as shown below.
# This .htaccess file comment
will cause a server error
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R,L]
If the .htaccess file is already stored on a web server, it will need to be downloaded using an FTP client or within the file manager of the web host in order for it to be edited. If not, it will be necessary to manually create one with a filename of '.htaccess'. It is simply a blank filename with only the '.htaccess' file extension. Since a .htaccess file is a plaintext file, it can be edited by any text editor.
Before editing the .htaccess file, always store a backup of it in case it does not work properly after making those changes.
Be careful when editing the .htaccess file as this type of file is very sensitive to typos, whitespace characters, line endings, and spelling mistakes. Even a small error in the syntax can cause the whole .htaccess file to break and cause server errors in the 5xx HTTP status code category.
Do not use a word processor program, such as WordPad, Microsoft Word, or Microsoft Office to create or edit a .htaccess file. This is because the auto-editing will add formatting that will change the file and break it, causing the .htaccess file to malfunction when uploading it to the web server. Also, do not use a WYSIWYG interface to edit a .htaccess file.
The following examples below are examples of .htaccess rules that can be used to configure settings for web servers that run Apache.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R,L]
Once the website has a valid SSL certificate and HTTPS enabled, secure communications can now take place. However, they will only take place if the user is visiting the website with 'https://' at the beginning rather than insecure 'http://'. Some users may still be visiting the standard HTTP version. In addition, both HTTP and HTTPS versions of the website could be mistaken for duplicate content by search engines. The .htaccess rules above will force all insecure HTTP traffic to secure HTTPS traffic. Obviously, replace 'yourdomain.com' with your domain name in all of these examples.
Since it is already very clear that a domain name is used to access a website on the World Wide Web, the 'www' prefix is unnecessary and can be removed, resulting in a shorter URL. However, some older websites still use the 'www' prefix. For instructions on how to remove and add it, see below.
For removing the 'www' prefix, these are the .htaccess rules:
RewriteCond %{HTTP_HOST} ^www.yourdomain.com$ [NC]
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]
For adding the 'www' prefix, these are the .htaccess rules:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
In this example, the trailing slash at the end of URLs (e.g. https://computerhelp4all.com/articles.html/) can be removed or added. This is useful for SEO as both versions of the website with and without the trailing slash could be mistaken for duplicate content by search engines.
For removing the trailing slash, these are the .htaccess rules:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
For adding the trailing slash, these are the .htaccess rules:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*[^/])$ /$1/ [L,R=301]
Custom error pages are a very important part of a website. They should clearly explain the error, contain links to the main page, and should not be vague. The default error pages are usually inconsistent with the rest of the site and vague. Also, they are often a 'dead-end' page, which forces visitors to hit the back button in their web browsers. In this example below, replace the URLs with the location of your error pages.
ErrorDocument 400 http://yourdomain.com/your-custom-error-400-page.html
ErrorDocument 401 http://yourdomain.com/your-custom-error-401-page.html
ErrorDocument 403 http://yourdomain.com/your-custom-error-403-page.html
ErrorDocument 404 http://yourdomain.com/your-custom-error-404-page.html
ErrorDocument 503 http://yourdomain.com/your-custom-error-503-page.html
Hotlinking is when a website links to and displays the resources of an external site, such as videos and images, instead of hosting them on its server. This can become an issue, especially when on a hosting plan with limited bandwidth, as every time a visitor sees those resources, bandwidth from the external website is used. Even though hotlinking can be blocked in the control panel of most hosting providers and in CDNs, such as Cloudflare, it can be blocked by adding the .htaccess rules below when those options are unavailable. The file types (gif, jpg, jpeg, mp3, png, pdf, zip) will fail to load when an external site tries to hotlink.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|mp3|png|pdf|zip)$ - [F]
In this example, a visitor can be denied access if they try to visit with a certain IP address. This is a useful method of banning someone from accessing a website. Anyone from that IP address that tries to visit will receive a 403 error. Obviously, in the 'deny from' part, put the actual IP address that you want to block.
Order Allow,Deny
Deny from 123.123.123.123
Allow from all
Some pages of a website may need to be kept hidden. Whenever a user tries to visit a webpage that matches the .htaccess rules specified, they will receive a 403 error. Access can be denied to certain pages based on specific URLs, directories, or certain patterns.
For denying access to a single URL, these are the .htaccess rules. Obviously, specify the path of the URL that you want to deny access to.
RewriteEngine On
RewriteRule ^directory/denied-access-url.html$ - [F]
For denying access to a directory, the .htaccess rules are:
RewriteEngine On
RewriteRule (^|/)denied-directory(/|$) - [F]
For denying access to a specific URL pattern, the .htaccess rules are below. In this example, these .htaccess rules deny access to all files ending in '.zip'. The file extension can be replaced with any extension of your choice.
<Files ~ "\.zip$">
Order Allow,Deny
Deny from All
</Files>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresDefault "access plus 2 days"
In the example above, the .htaccess file is instructing web browsers to cache all of these types of files for a month after the visitor has viewed them once. Caching improves the page loading time and decreases the load on the web server. When cached, the files are loaded from their local computer rather than the server for a month, unless the user clears their cache in their web browser settings. Depending on how often they are modified, all of these types of files can be adjusted to whatever period of time you want.
Disabling directory listing is recommended as by default, if a new directory is created without an 'index.html' file, visitors can get a directory listing all the files in that folder. For example, if a folder called 'articles' was created, typing 'example.com/articles/' would allow the visitor to see everything in that directory with no password or restrictions. This can become a security risk if that directory contained files with sensitive information, such as passwords, as anyone that is browsing could view or save any files in that folder.
Options -Indexes
Simply adding the line above in the .htaccess file will cause visitors to get a 403 error whenever they visit a directory without an 'index.html' file, preventing all the files of the directory from being listed.
A 301 redirect forces all website traffic from one URL to another. These types of redirects are commonly used when moving domain names.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ https://example.net/$1 [L,R=301,NC]
In this example, all traffic from 'https://example.com' is redirected from 'https://example.net'. For example, 'https://example.com/article.html' would automatically redirect to 'https://example.net/article.html'.
AddDefaultCharset UTF-8
In this example, the character set of each HTML page will be set to 'UTF-8'. Even though this can be specified in the meta tag of each HTML document, adding this .htaccess rule will apply it to every document of the website.
RewriteEngine On
RewriteRule ^index\.html$ / [R=301,L]
The homepage of a website can usually be visited by typing the domain name and nothing else. For example, 'mysite.com' would be the same page as 'mysite.com/index.html' Hiding 'index.html' from the homepage is useful for SEO as both versions of the homepage with and without 'index.html' could be mistaken for duplicate content by search engines. It also makes the homepage URL shorter and easier to memorise as it is just the domain name.
If so, it is important that you tell me as soon as possible on this page.
Network Services Network Setups Network Standards Network Hardware Network Identifiers Network Software Internet Protocols Internet Organisations Data Transmission Technologies Web Development Web Design Web Advertising Web Applications Web Organisations Web Technologies Web Services SEO Threats To Systems, Data & Information Threats To Individuals Security Mechanisms & Technologies Computer Hardware Computer Software Ethics & Sustainability Legislation & User Data Protection
