.htaccess Guide for Beginners: Redirects, Security & More

What is .htaccess?

The .htaccess file is a configuration file for Apache web servers. It sits in your website's root directory (or any subdirectory) and lets you control server behavior without touching the main server configuration. The name stands for "hypertext access."

Every time someone requests a page from your site, Apache checks for .htaccess files in the directory tree and applies their rules. This makes it a powerful tool for managing redirects, security, caching, and access control — all without restarting the server.

Important: .htaccess only works on Apache servers. If your hosting uses Nginx, LiteSpeed, or another server, the syntax is different. Check with your hosting provider if you are unsure.

URL Redirects and Rewrites

Redirects are the most common use of .htaccess. Whether you are moving pages, switching to HTTPS, or cleaning up URLs, redirects preserve your SEO rankings and prevent broken links.

301 Redirect (Permanent)

Use a 301 redirect when a page has moved permanently:

Redirect 301 /old-page.html https://example.com/new-page

Force HTTPS

Redirect all HTTP traffic to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Force www or non-www

To redirect all traffic to the www version:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [L,R=301]

Remove trailing slashes

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

Our Htaccess Generator can produce these rules automatically — select what you need and copy the generated code.

Security Headers

Adding security headers via .htaccess protects your visitors from common attacks:

Content Security Policy

Header set Content-Security-Policy "default-src 'self'; script-src 'self'"

This prevents loading scripts from external domains, defending against XSS attacks.

X-Frame-Options

Header always set X-Frame-Options "SAMEORIGIN"

Prevents your site from being embedded in iframes on other domains, blocking clickjacking attacks.

Strict-Transport-Security (HSTS)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Forces browsers to only connect via HTTPS for one year. Only enable this after you have confirmed HTTPS works correctly on your site.

X-Content-Type-Options

Header always set X-Content-Type-Options "nosniff"

Prevents browsers from MIME-sniffing a response away from the declared content type.

Browser Caching

Caching rules tell browsers to store static files locally, reducing load times for returning visitors and lowering your server bandwidth usage.

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/webp "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType text/html "access plus 0 seconds"
</IfModule>

Images rarely change, so a one-year cache is safe. CSS and JavaScript change more often, so one month is reasonable. HTML should never be cached because it needs to reflect the latest content.

Access Control and Password Protection

You can restrict access to specific directories using Basic Authentication:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /full/path/to/.htpasswd
Require valid-user

Create the password file with the htpasswd command-line tool. Never place the .htpasswd file inside your web-accessible directory.

Block specific IPs

Deny from 192.168.1.100
Deny from 10.0.0.0/8

Block access to sensitive files

<FilesMatch "\.(env|log|ini|bak)$">
Order allow,deny
Deny from all
</FilesMatch>

This blocks direct access to configuration files, logs, and backups that should never be publicly accessible.

Common .htaccess Mistakes

• Redirect loops: Two conflicting redirect rules that point to each other. The browser shows "too many redirects" and gives up. Test each rule individually before combining them.
• Forgetting RewriteEngine On: Rewrite rules do nothing without this directive. It needs to appear once, before any RewriteRule lines.
• Wrong file path for .htpasswd: The path must be absolute (starting from the server root, not the web root). Use pwd in SSH to find the full path.
• Caching HTML pages: If you cache HTML with a long expiration, visitors see stale content. Set HTML expiration to 0 seconds or use no-cache headers.
• Not testing changes: A syntax error in .htaccess can return a 500 Internal Server Error for your entire site. Always keep a backup of the working file before making changes.

Generate your .htaccess configuration quickly with our Htaccess Generator. For related SEO configuration, check out our guides on SEO meta tags and schema markup.