.htaccess best practices
On this page
Use httpd.conf instead of .htaccess
.htaccess
files reduce the performance of the Apache HTTP server. Instead, use the
httpd.conf
to write directives to improve the performance of Apache web server.
The
httpd.conf
is available if you have root access to your web server.
<VirtualHost *:80>
DocumentRoot "/var/www/mydomain_com"
ServerName mydomain.com
<Directory "/var/www/mydomain_com/public_html">
allow from all
Options +Indexes
</Directory>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.mydomain.com [NC]
RewriteRule (.*) http://mydomain.com%{REQUEST_URI} [R=301,L]
</VirtualHost>
As few .htaccess files as possible
If possible, use only one
.htaccess
file in the website public root directory such as
public_html/
.
Enable HTTP Strict Transport Security (HSTS) in .htaccess
Enable HTTP Strict Transport Security (HSTS) to help prevent man-in-the-middle attacks when using SSL certificates:
This snippet will enforce HSTS on the domain and all its subdomains:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000;includeSubDomains"
</IfModule>
To enforce HSTS only on the domain but not its subdomains, remove
includeSubDomains
:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000;"
</IfModule>
31536000
value is expressed in seconds and is translated as 365 days (a year). Other values you can use for the
max-age
parameter are listed below.
| 1 minute | 60 | | 30 minutes | 1800 | | 1 hour | 3600 | | 12 hours | 43200 | | 24 hours | 86400 | | 7 days | 604800 | | 1 month | 2630000 | | 1 year | 31536000 |