.htaccess snippets
On this page
- Blocking
- Block IP address
- Block user-agent
- Deny
- Deny access to directory
- Deny access to file
- Deny access to hidden directories and files
- Prevent
- Prevent hotlinking
- Redirect
- Force www
- Force www except subdomains
- Force non-www (redirect from www to non-www)
- Force HTTPS
- Force trailing slash
- Rename
- Rename .php to .html
- Redirect
- Redirect to a new domain
- Redirect to a single page of a new domain
- Remove
- Remove trailing slash
- Remove extension (.html, .htm, .php) from URLs
- Remove the X-Powered-By response header
Blocking
Block IP address
To block access to a certain IP address from accessing the website (or a directory), use
Deny
:
Deny from 100.100.100.100
To block multiple IP address, append the IP addresses to the
Deny
rule separated by space:
Deny from 100.100.100.100 200.200.200.200
To block an entire subnet of IP addresses, use the
Deny
rule:
Deny from 100.100
To block IPv6 addresses, use the
Deny
rule:
Deny from 00000:00000:0000:00000:0000:00000:00000
Block user-agent
To block access of a device (PC, table, phone) using a specific user-agent, use the
RewriteCond
rule:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
The device's user-agent must be
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
exactly in order for the block to work.
Deny
Deny access to directory
To deny access to a specific directory, add a
.htaccess
file inside the directory with the following line:
Deny from all
Deny access to file
To deny access to a specific file, add a
.htaccess
file inside the directory with the file you want to block:
<Files "secret.pdf">
Require all denied
</Files>
Deny access to hidden directories and files
To deny access to hidden directories and files (i.e. anything that starts with
.
), use the following snippet in
.htaccess
:
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
To exclude
.well-known
folder, update the
RewriteRule
directive:
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\.(?!well-known\/)" - [F]
Prevent
Prevent hotlinking
To prevent hotlinking, update
.htaccess
to allow linking to your static files (i.e. jpg, zip, png, css, js) only from your own domain:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)mydomain.com/.*$ [NC]
RewriteRule \.(css|js|jpg|jpeg|png|gif|zip|xml|pdf)$ - [F]
Replace
mydomain
and
.com
accordingly.
Update the list of file formats you want to deny hotlinking to separated by
|
:
css|js
css|js|jpg|jpeg|png|gif
Redirect
Force www
To force a redirect from
non-www
to
www
, use the
RewriteEngine
module with the
RewriteRule
rule:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mydomain\.com [NC]
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [L,R=301,NC]
Replace
mydomain
and
com
accordingly.
Force www except subdomains
To force a redirect from
non-www
to
www
except any subdomains, use RegEx with the
RewriteCond
rule:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^[0-9a-zA-Z-]+\.[a-zA-Z]{2,}$
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Force non-www (redirect from www to non-www)
Redirect from www to a non-www variant:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ http://mydomain.com/$1 [L,R=301]
Replace
mydomain
and
.com
accordingly.
Force HTTPS
To force HTTPS, redirect
http
over to
https
using the
RewriteRule
rule:
RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Force trailing slash
To force website URLs to end with a trailing slash, i.e.
mydomain.com/about/
, use the
RewriteRule
rule to redirect the URL without trailing slash (
mydomain.com/about
) to a URL with ending slash (
mydomain.com/about/
).
RewriteEngine on
RewriteCond %{REQUEST_URI} /+[^\.]+$
RewriteRule ^(.+[^/])$ %{REQUEST_URI}/ [R=301,L]
Rename
Rename .php to .html
To redirect all website URLs that end with
.php
to
.html
, use the
RewriteRule
rule:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+?)\.html$ /$1.php [R=301,L]
Redirect
Redirect to a new domain
To redirect a domain to a different domain while keeping the URLs intact, use the
RewriteRule
rule.
This snippet will redirect all website URLs to the new domain, i.e.
mydomain.com/about
will redirect to
mynewdomain.com/about
.
RewriteEngine On
Redirect 301 / http://mynewdomain.com/
Redirect to a single page of a new domain
To redirect a domain and all its URLs to a single page of a new domain, use the
RewriteRule
.
This snippet will redirect
mydomain.com/about
,
mydomain.com
to
mynewdomain.com
.
RewriteEngine On
RewriteRule ^(.*)$ http://mynewdomain.com/ [R=301]
Remove
Remove trailing slash
To force website domain URLs to not end with a trailing slash, i.e.
mydomain.com/about/
, use the
RewriteRule
to redirect the URL from a URL with ending slash (
mydomain.com/about/
) to a URL without an ending slash (
mydomain.com/about
).
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [R=301,L]
Remove extension (.html, .htm, .php) from URLs
To remove a file extension extension (.html, .htm) from URLs, use the
RewriteRule
rule.
This snippet will remove the
.html
extension from the URL and redirect
mydomain.com/about.html
to
mydomain.com/about
.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.html [NC,L]
If the file extension is
.php
(or any other extension), replace
.html
with
.php
:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
Remove the X-Powered-By response header
Some frameworks set a
X-Powered-By
response header disclosing information about the framework (i.e. version number).
To disable the
X-Powered-By
response header, update the
.htaccess
file:
<IfModule mod_headers.c>
Header unset X-Powered-By
Header always unset X-Powered-By
</IfModule>