.htaccess snippets

Blocking

Block IP address

To block access to a certain IP address from accessing the website (or a directory), use Deny:

Deny from 100.100.100.100

To block multiple IP address, append the IP addresses to the Deny rule separated by space:

Deny from 100.100.100.100 200.200.200.200

To block an entire subnet of IP addresses, use the Deny rule:

Deny from 100.100

To block IPv6 addresses, use the Deny rule:

Deny from 00000:00000:0000:00000:0000:00000:00000

Block user-agent

To block access of a device (PC, table, phone) using a specific user-agent, use the RewriteCond rule:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"

The device's user-agent must be Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 exactly in order for the block to work.

Deny

Deny access to directory

To deny access to a specific directory, add a .htaccess file inside the directory with the following line:

Deny from all

Deny access to file

To deny access to a specific file, add a .htaccess file inside the directory with the file you want to block:

<Files "secret.pdf">  
    Require all denied
</Files>

Deny access to hidden directories and files

To deny access to hidden directories and files (ie. anything that starts with .), use the following snippet in .htaccess:

RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]

To exclude .well-known folder, update the RewriteRule directive:

RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\.(?!well-known\/)" - [F]

Prevent

Prevent hotlinking

To prevent hotlinking, update .htaccess to allow linking to your static files (ie. jpg, zip, png, css, js) only from your own domain:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)mydomain.com/.*$ [NC]
RewriteRule \.(css|js|jpg|jpeg|png|gif|zip|xml|pdf)$ - [F]

Replace mydomain and .com accordingly.

Update the list of file formats you want to deny hotlinking to separated by |:

css|js
css|js|jpg|jpeg|png|gif

Redirect

Force www

To force a redirect from non-www to www, use the RewriteEngine module with the RewriteRule rule:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^mydomain\.com [NC]
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [L,R=301,NC]

Replace mydomain and com accordingly.

Force www except subdomains

To force a redirect from non-www to www except any subdomains, use RegEx with the RewriteCond rule:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^[0-9a-zA-Z-]+\.[a-zA-Z]{2,}$
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Force non-www (redirect from www to non-www)

Redirect from www to a non-www variant:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ http://mydomain.com/$1 [L,R=301]

Replace mydomain and .com accordingly.

Force HTTPS

To force HTTPS, redirect http over to https using the RewriteRule rule:

RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Force trailing slash

To force website URLs to end with a trailing slash, ie. mydomain.com/about/, use the RewriteRule rule to redirect the URL without trailing slash ( mydomain.com/about) to a URL with ending slash ( mydomain.com/about/).

RewriteEngine on
RewriteCond %{REQUEST_URI} /+[^\.]+$
RewriteRule ^(.+[^/])$ %{REQUEST_URI}/ [R=301,L]

Rename

Rename .php to .html

To redirect all website URLs that end with .php to .html, use the RewriteRule rule:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+?)\.html$ /$1.php [R=301,L] 

Redirect

Redirect to a new domain

To redirect a domain to a different domain while keeping the URLs intact, use the RewriteRule rule.

This snippet will redirect all website URLs to the new domain, ie. mydomain.com/about will redirect to mynewdomain.com/about.

RewriteEngine On
Redirect 301 / http://mynewdomain.com/

Redirect to a single page of a new domain

To redirect a domain and all its URLs to a single page of a new domain, use the RewriteRule.

This snippet will redirect mydomain.com/about, mydomain.com to mynewdomain.com.

RewriteEngine On
RewriteRule ^(.*)$ http://mynewdomain.com/ [R=301]

Remove

Remove trailing slash

To force website domain URLs to not end with a trailing slash, ie. mydomain.com/about/, use the RewriteRule to redirect the URL from a URL with ending slash ( mydomain.com/about/) to a URL without an ending slash ( mydomain.com/about).

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [R=301,L]

Remove extension (.html, .htm, .php) from URLs

To remove a file extension extension (.html, .htm) from URLs, use the RewriteRule rule.

This snippet will remove the .html extension from the URL and redirect mydomain.com/about.html to mydomain.com/about.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.html [NC,L]

If the file extension is .php (or any other extension), replace .html with .php:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

Remove the X-Powered-By response header

Some frameworks set a X-Powered-By response header disclosing information about the framework (ie. version number).

To disable the X-Powered-By response header, update the .htaccess file:

<IfModule mod_headers.c>
  Header unset X-Powered-By
  Header always unset X-Powered-By
</IfModule>