.htaccess best practices

On this page

Use httpd.conf instead of .htaccess
As few .htaccess files as possible
Enable HTTP Strict Transport Security (HSTS) in .htaccess

Use httpd.conf instead of .htaccess

.htaccess files reduce the performance of the Apache HTTP server. Instead, use the httpd.conf to write directives to improve the performance of Apache web server.

The httpd.conf is available if you have root access to your web server.

<VirtualHost *:80>
  DocumentRoot "/var/www/mydomain_com"
  ServerName mydomain.com

  <Directory "/var/www/mydomain_com/public_html">
      allow from all
      Options +Indexes
  </Directory>

  Options +FollowSymLinks
  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^www.mydomain.com [NC]
  RewriteRule (.*) http://mydomain.com%{REQUEST_URI} [R=301,L]
</VirtualHost>

As few .htaccess files as possible

If possible, use only one .htaccess file in the website public root directory such as public_html/.

Enable HTTP Strict Transport Security (HSTS) in .htaccess

Enable HTTP Strict Transport Security (HSTS) to help prevent man-in-the-middle attacks when using SSL certificates:

This snippet will enforce HSTS on the domain and all its subdomains:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000;includeSubDomains"
</IfModule>

To enforce HSTS only on the domain but not its subdomains, remove includeSubDomains:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000;"
</IfModule>

31536000 value is expressed in seconds and is translated as 365 days (a year). Other values you can use for the max-age parameter are listed below.

| 1 minute | 60 | | 30 minutes | 1800 | | 1 hour | 3600 | | 12 hours | 43200 | | 24 hours | 86400 | | 7 days | 604800 | | 1 month | 2630000 | | 1 year | 31536000 |