.htaccess

.htaccess is a directory-level configuration file that Apache HTTP Server reads on every request to apply per-directory settings for URL rewriting, authentication, access control, and caching.

What .htaccess Does and When to Use It

The .htaccess file (short for "hypertext access") provides per-directory configuration for Apache HTTP Server. Apache reads the .htaccess file on every HTTP request and applies its directives to the directory where the file resides and all subdirectories beneath it. This behavior allows users to override server-wide settings without editing the main httpd.conf or restarting Apache.

The .htaccess file handles common web server tasks: URL rewriting with mod_rewrite, password protection with mod_auth_basic, IP-based access control with mod_authz_core, MIME type configuration, custom error pages, and HTTP header manipulation. Shared hosting providers rely on .htaccess because it gives each customer control over their own directory without granting access to the main server configuration.

The .htaccess file should not replace the main server configuration when root access is available. Apache reads .htaccess on every request, which creates a measurable performance overhead. Directives placed in httpd.conf or inside a <VirtualHost> block load once at server startup and apply without per-request file system lookups.

How .htaccess Works in Apache HTTP Server

Apache HTTP Server searches for .htaccess files in every directory along the path to a requested resource. A request for /var/www/html/blog/post.html causes Apache to check for .htaccess in /var/www/html/ and /var/www/html/blog/. Apache applies directives from parent directories first, then child directories. Child .htaccess files can override parent settings depending on the AllowOverride configuration.

The AllowOverride directive in httpd.conf controls which categories of directives .htaccess files can use. Setting AllowOverride All permits all .htaccess directives. Setting AllowOverride None disables .htaccess entirely. Apache 2.4 defaults to AllowOverride None, which means .htaccess files have no effect until an administrator explicitly enables them in the server configuration.

Apache processes .htaccess file contents as if they appeared inside a <Directory> block in the main configuration. Any syntax error in .htaccess causes Apache to return a 500 Internal Server Error for every request to that directory. Apache logs the specific parsing error in the server error log.

Core Concepts of .htaccess

AllowOverride Controls .htaccess Scope

The AllowOverride directive determines which directive categories .htaccess files can use. Apache groups directives into override classes: AuthConfig (authentication), FileInfo (document type control, mod_rewrite), Indexes (directory listing), Limit (access control), and Options (directory features). Specify only the classes needed to limit the attack surface.

<Directory "/var/www/html">
    AllowOverride AuthConfig FileInfo
</Directory>

Directory Scope and Inheritance in .htaccess

Each .htaccess file applies to its directory and all subdirectories. A .htaccess file in /var/www/html/ affects the entire website. A .htaccess file in /var/www/html/admin/ applies only to the admin/ directory and its children. Subdirectory .htaccess files override parent .htaccess settings for the same directives.

Performance Impact of .htaccess on Apache

Apache performs a file system lookup for .htaccess in every directory along the request path. A deeply nested URL triggers multiple disk reads per request. On high-traffic sites, this overhead accumulates. Move directives into httpd.conf or <VirtualHost> blocks when possible. Reserve .htaccess for environments where modifying the main configuration is not an option.

Apache 2.4 vs. Apache 2.2 Syntax in .htaccess

Apache 2.4 replaced the Order, Allow, and Deny directives from mod_access_compat with the Require directive from mod_authz_core. The old syntax still works if mod_access_compat is loaded, but new .htaccess files should use Apache 2.4 syntax exclusively.

Common Tasks with .htaccess

How to Force HTTPS with .htaccess

The .htaccess file redirects HTTP traffic to HTTPS using mod_rewrite. Place this block at the top of the .htaccess file in the document root:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

How to Redirect URLs with .htaccess

The .htaccess file performs 301 (permanent) and 302 (temporary) redirects using the Redirect directive or mod_rewrite. Use Redirect for straightforward path-to-path redirects:

Redirect 301 /old-page https://example.com/new-page

How to Set Custom Error Pages with .htaccess

The ErrorDocument directive in .htaccess maps HTTP status codes to custom error pages. Apache serves the specified page instead of the default server error response:

ErrorDocument 404 /errors/not-found.html
ErrorDocument 500 /errors/server-error.html

How to Block IP Addresses with .htaccess

The .htaccess file blocks specific IP addresses using the Require directive in Apache 2.4. Wrap the block in a <RequireAll> container to deny one IP while allowing all others:

<RequireAll>
    Require all granted
    Require not ip 203.0.113.50
</RequireAll>

.htaccess Troubleshooting

Related Tools and Guides

Apache httpd.confis the main server configuration file. Directives in httpd.conf perform the same functions as .htaccess but load once at server startup and avoid per-request overhead.

Nginxuses a different configuration model with no .htaccess equivalent. All Nginx configuration resides in centralized config files, which eliminates per-request file lookups but requires server access for changes.