Some useful htaccess rules

htaccess is basically a directory level configuration file for Apache based web servers. It allows you to set different decentralized configuration directives per directory and all sub-directory wide. You can say it an access control configuration file. htaccess works differently in CGI, fCGI, and Apache Module modes.

Below are some useful htaccess rules that we need frequesntly.

Prevent directory listing:
<IfModule mod_autoindex.c>
Options -Indexes

Specify directory indexes:
DirectoryIndex index.php index.html

Re-write base path:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /live/

Follow / Un-Follow Symbolic Link:
Options +FollowSymLinks
Options -FollowSymLinks

non-www to www:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.domain\.com
RewriteRule (.*)$1 [R=301,L]

www to non-www:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.domain\.com
RewriteRule (.*)$1 [R=301,L]

Force HTTPS (SSL):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Force HTTPS (SSL) specific domain:
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_HOST} ^domain\.com [NC]
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$$1 [R=301,L]

Force HTTPS (SSL) specific directory:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} directory
RewriteRule ^(.*)$$1 [R=301,L]

Force HTTP (Non-SSL):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

URL redirect 301/302 (one:one or pattern match):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^old-page-url.html [L,R=301]
RewriteRule ^page-url.html [L,R=302]
RewriteRule ^directory/(.*)$1 [L,R=301]
RedirectMatch 301 ^/old-directory/ [L,R=301]
RedirectMatch 301 ^(.*)$ [L,R=301]

Protect specific/system files:
Protect file & DB backup fils, config & ini files, or log files
<FilesMatch "(\.(bak|sql|config|ini|inc|log)|~)$">
Order allow,deny
Deny from all
Satisfy All

Block access to htaccess file
<files .htaccess>
Order allow,deny
Deny from all
Satisfy All

Protect static resource hot-linking:
You can generate hotlink prevention htaccess rule from here for your site.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Header Robot Tag for Bot Access Management:
Robot directives for Document, Text, and PDF files
<FilesMatch ".(doc|docx|odt|txt|pdf)$">
<IfModule mod_headers.c>
Header append X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"

Robot directive for robots.txt file itself
<FilesMatch "robots.txt">
<IfModule mod_headers.c>
Header append X-Robots-Tag "noindex"

Robot directive for sitemap XML file
<FilesMatch "sitemap.xml">
<IfModule mod_headers.c>
Header append X-Robots-Tag "noindex"

Leverage Caching of Static Files:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css A3600
ExpiresByType text/javascript A3600
ExpiresByType text/x-component A3600
ExpiresByType text/x-js A3600
ExpiresByType application/x-javascript A3600
ExpiresByType application/javascript A3600
ExpiresByType text/html A3600
ExpiresByType text/richtext A3600
ExpiresByType text/plain A3600
ExpiresByType text/xsd A3600
ExpiresByType text/xsl A3600
ExpiresByType text/xml A3600
ExpiresByType image/x-icon A604800
ExpiresByType image/jpeg A604800
ExpiresByType image/gif A604800
ExpiresByType image/bmp A604800
ExpiresByType image/png A604800
ExpiresByType image/svg+xml A604800
ExpiresByType audio/mpeg A604800
ExpiresByType audio/wav A604800
ExpiresByType audio/wma A604800
ExpiresByType audio/ogg A604800
ExpiresByType audio/midi A604800
ExpiresByType audio/x-realaudio A604800
ExpiresByType video/mp4 A604800
ExpiresByType video/avi A604800
ExpiresByType video/mpeg A604800
ExpiresByType video/asf A604800
ExpiresByType video/divx A604800
ExpiresByType video/quicktime A604800
#MS Office/Open Office
ExpiresByType application/msword A604800
ExpiresByType application/ A604800
ExpiresByType application/ A604800
ExpiresByType application/ A604800
ExpiresByType application/ A604800
ExpiresByType application/ A604800
ExpiresByType application/vnd.oasis.opendocument.database A604800
ExpiresByType application/vnd.oasis.opendocument.chart A604800
ExpiresByType application/vnd.oasis.opendocument.formula A604800
ExpiresByType application/ A604800
ExpiresByType application/vnd.oasis.opendocument.presentation A604800
ExpiresByType application/vnd.oasis.opendocument.spreadsheet A604800
ExpiresByType application/vnd.oasis.opendocument.text A604800
ExpiresByType application/font-woff A604800
ExpiresByType application/x-font-ttf A604800
ExpiresByType application/ A604800
ExpiresByType application/ A604800
ExpiresByType application/x-font-otf A604800
ExpiresByType application/ A604800
#Compressed Files
ExpiresByType application/zip A604800
ExpiresByType application/x-gzip A604800
ExpiresByType application/x-tar A604800
#JSON/PDF etc.
ExpiresByType application/json A604800
ExpiresByType application/pdf A604800
ExpiresByType application/x-shockwave-flash A604800
ExpiresByType application/java A604800
ExpiresByType application/x-msdownload A604800

Add MIME Types:
<IfModule mod_mime.c>
AddType text/css .css
AddType application/x-javascript .js
AddType text/html .html .htm
AddType text/richtext .rtf .rtx
AddType image/svg+xml .svg .svgz
AddType text/plain .txt
AddType text/xsd .xsd
AddType text/xsl .xsl
AddType text/xml .xml
AddType video/avi .avi
AddType image/bmp .bmp
AddType application/msword .doc .docx
AddType image/gif .gif
AddType application/x-gzip .gz .gzip
AddType image/x-icon .ico
AddType image/jpeg .jpg .jpeg .jpe
AddType application/json .json
AddType application/ .mdb
AddType audio/midi .mid .midi
AddType video/quicktime .mov .qt
AddType audio/mpeg .mp3 .m4a
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg .mpe
AddType application/vnd.oasis.opendocument.database .odb
AddType application/vnd.oasis.opendocument.presentation .odp
AddType application/vnd.oasis.opendocument.spreadsheet .ods
AddType application/vnd.oasis.opendocument.text .odt
AddType audio/ogg .ogg
AddType application/pdf .pdf
AddType image/png .png
AddType application/ .pot .pps .ppt .pptx
AddType application/x-shockwave-flash .swf
AddType image/tiff .tif .tiff
AddType application/x-font-ttf .ttf .ttc
AddType audio/wav .wav
AddType audio/wma .wma
AddType application/font-woff .woff
AddType application/ .xla .xls .xlsx .xlt .xlw
AddType application/zip .zip

File Entity Tag:
FileETag None
<IfModule mod_headers.c>
Header unset ETag

Default Charset + Language / MIME Specific Charset + Language:
AddDefaultCharset utf-8
AddLanguage en-US
<IfModule mod_mime.c>
AddCharset utf-8 .php .html .xml .css .js .json
AddLanguage en-US .html .htm .css .js

Allow Access Origin:
<FilesMatch "\.(ttf|otf|eot|woff)$">
<IfModule mod_headers.c>
Header append Access-Control-Allow-Origin ""

GZip Compression / Deflate Module:
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

But sometimes, based on the web server type, the above code may not work properly. Try using DEFLATE module instead.

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

Basic HTTP Authentication:
Doesn’t work properly when in fCGI mode
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /absolute/directory/path/to/.htpasswd
Require valid-user

You can create a .htpasswd file from here. The file will look like below with user name as “username” and password as “password”.

Ban By IP Address:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{Remote_Addr} ^111\.222\.121\.212$
RewriteRule ^(.*) http://localhost/ [R,L]


Order Deny,Allow
Deny from

Block Bad Bots:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:[email protected] [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]

Error Documents:
ErrorDocument 404 page-not-found.html
ErrorDocument 410 page-gone.html
ErrorDocument 403 page-forbidden.html
ErrorDocument 500 server-error.html
ErrorDocument 401 unauthorized-access.html

I will try to continue adding more rules here whenever possible 🙂

1 thought on “Some useful htaccess rules

  1. Dinesh Mitra

    Wow! These are amazing stuff! We generally search for some re-write rules or redirection rules. But here I found lots of other helpful rules, like file protection, hotlink protection, caching mechanism etc. Though I couldn’t understand all of the rules due to my lack of knowledge 🙁 , but having all these rules in one place is just great.

    Specially I liked the last line, where you told you are going to add more rules 🙂 You rocks Supratim!


Leave a Reply

Your email address will not be published. Required fields are marked *