Where do I place .htaccess?

Place .htaccess in the directory you want to configure: `public/` for Laravel, `public_html/` or `www/` for cPanel shared hosting, or the web root served by Apache. Rules in that file apply to the directory and all subdirectories unless overridden by another .htaccess in a child directory. For WordPress, the .htaccess in the installation root controls permalink rewrites via `WP_REWRITE`.

How do I force HTTPS with .htaccess?

Use mod_rewrite: `RewriteEngine On`, `RewriteCond %{HTTPS} off`, `RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]`. The RewriteCond checks whether the current request is not over HTTPS. The RewriteRule matches any path (`^`) and redirects to the HTTPS version preserving the host and full request path. `[R=301,L]` sets a 301 permanent redirect status and stops further rule processing.

Does .htaccess work on Nginx?

No. .htaccess is exclusive to Apache and Apache-compatible servers (like LiteSpeed). Nginx does not read or support .htaccess files — it silently ignores them. For Nginx, equivalent configuration goes in the `server {}` block in `nginx.conf` or a virtual host file. Nginx `location {}` blocks handle rewrites, `add_header` handles security headers, and `expires` handles caching.

What security headers should I include?

`X-Content-Type-Options: nosniff` prevents MIME-type confusion attacks. `X-Frame-Options: SAMEORIGIN` blocks clickjacking by preventing your page from loading in iframes on other domains. `Referrer-Policy: strict-origin-when-cross-origin` limits what referrer data is sent cross-origin. `Strict-Transport-Security: max-age=31536000` enforces HTTPS for one year (add only after SSL is confirmed working). `Content-Security-Policy` is the most powerful header but requires careful per-site configuration to avoid breaking functionality.

Why did my site break after editing .htaccess?

A syntax error or a directive for an Apache module that is not enabled causes a 500 Internal Server Error for the entire directory. Keep a working backup before every edit and apply one block at a time. The generator wraps every block in an ` ` guard so a missing module is silently skipped rather than crashing the site. Check `error_log` in cPanel or via SSH to see which directive triggered the error.

Is it safe to leave .htaccess readable to visitors?

No — a publicly accessible .htaccess file exposes your server configuration and path structure. Add ` Require all denied ` (Apache 2.4) or ` Order allow,deny Deny from all ` (Apache 2.2) to block HTTP access to the file itself. The file must still be readable by the Apache process on disk — this only prevents it from being served over HTTP.

developer

Free .htaccess Generator — Apache Rules for Redirects, HTTPS & Security

An .htaccess file is an Apache server configuration file that controls URL rewrites, HTTPS enforcement, browser caching, GZIP compression, and security headers at the directory level. This generator produces ready-to-copy .htaccess blocks for the most common use cases without writing Apache syntax manually.

Free — No SignupRuns in BrowserData Never UploadedPopular tool

developer

Generate Apache .htaccess rules for redirects, HTTPS, caching, and security headers.

Force HTTPS with a clean mod_rewrite 301 redirect
www → non-www and non-www → www canonical redirect
Browser caching headers via mod_expires for static assets
GZIP compression via mod_deflate
Security response headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS
Custom error pages and directory listing protection
Every block wrapped in <IfModule> guards — missing modules are skipped, not fatal

Features

Everything you need in one .htaccess Generator

HTTPS redirect generator

Produces a clean mod_rewrite rule that 301-redirects every HTTP request to HTTPS — the canonical way to enforce SSL across a whole site.

www / non-www canonical redirects

Pick a single canonical hostname and the generator writes the matching 301 redirect so search engines and users never see duplicate URLs.

Caching & GZIP for speed

Adds mod_expires caching headers and mod_deflate compression — two of the highest-impact, lowest-effort web performance wins.

Security headers

Outputs response headers aligned with the OWASP Secure Headers Project: X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.

How It Works

How to use .htaccess Generator

Select rules to include

Toggle: force HTTPS, www redirect, browser caching, GZIP, security headers, custom error pages.

Configure options

For redirects, choose www → non-www or non-www → www. Set cache expiry per file type.

Copy and deploy

Paste the generated content into your .htaccess file in the web root (public/ or public_html/).

Format Comparison

Apache modules used by common .htaccess rules

Use case	Apache module
URL rewriting & redirects	mod_rewrite
Force HTTPS / canonical host	mod_rewrite
Browser caching of static assets	mod_expires / mod_headers
GZIP compression	mod_deflate
Security response headers	mod_headers
Custom error pages	core ErrorDocument
Directory & file access control	core Options / Require

Troubleshooting

How to fix common syntax errors

Most “invalid JSON” failures come from a small set of mistakes. Paste the failing JSON above, click Validate, and the tool points you at the exact line and column.

500 error after savingDirective for disabled module

Check Apache error_log (cPanel → Errors, or `/var/log/apache2/error.log`). Wrap all directives in <IfModule> blocks — missing modules are then skipped instead of crashing the site.

HTTPS redirect loops infinitelyMissing RewriteCond %{HTTPS} off

Add `RewriteCond %{HTTPS} off` before the redirect rule. Without it, Apache redirects the already-HTTPS request again, creating an infinite loop.

HSTS locks out HTTP-only siteStrict-Transport-Security on non-SSL server

Only add HSTS after confirming HTTPS is fully working. Start with `max-age=300` (5 minutes) before committing to `max-age=31536000` — a wrong long-term HSTS blocks all HTTP access for a year.

Hotlink protection blocks your own imagesRewriteCond HTTP_REFERER not excluding own domain

Add your own domain to the whitelist: `RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com`. Also add `RewriteCond %{HTTP_REFERER} !^$` to allow direct URL access.

.htaccess has no effectAllowOverride None in httpd.conf

Apache ignores .htaccess when `AllowOverride None` is set in httpd.conf or the VirtualHost block. Change to `AllowOverride All` (or the specific directives needed) and reload Apache.

Caching returns stale assets after deployBrowser serves old JS/CSS despite max-age change

Cache headers tell browsers how long to cache, but do not invalidate existing caches. Use fingerprinted filenames (`app.abc123.js`) or query strings (`?v=2`) to force browsers to request the new file.

FAQ

Frequently asked questions

An .htaccess (hypertext access) file applies Apache web server configuration at the directory level without requiring access to the main `httpd.conf` server configuration. It controls URL rewriting and redirects, HTTPS enforcement, browser caching, GZIP compression, access authentication, IP-based access control, custom error pages, and security response headers — all scoped to the directory it sits in and all its subdirectories.

Related Tools

You might also need

.env File Generator

Generate a boilerplate .env file for Laravel, Next.js, Node.js, or Docker.

Cron Expression Builder

Build cron schedules visually and get the expression + plain-English explanation.

Color Contrast Checker (WCAG)

Check foreground/background color contrast for WCAG AA and AAA compliance.

SQL Formatter

Format and beautify SQL queries with consistent indentation and keyword casing.

Regex Tester

Test regular expressions against strings with live match highlighting.

JSON Formatter & Validator

Format, validate, and minify JSON instantly in your browser.

JWT Decoder

Decode and inspect JSON Web Token header, payload, and signature.

Base64 Encoder / Decoder

Encode and decode Base64 strings instantly in your browser.

References

Need this built into your product?

We design and build custom software — SaaS platforms, MVPs, AI agents, and web apps.

Let's talk

Custom SaaS Development

End-to-end SaaS — API, auth, billing, dashboard, deployment.

MVP Development

Working product in 6–8 weeks. Fixed price, committed timeline.

AI Agent Development

Custom AI agents and workflow automation for your stack.

Web App Development

Full-stack web apps built with modern frameworks and best practices.

Have a project in mind?

We turn ideas into production-ready software — SaaS, web apps, mobile, and AI agents. Fixed price. Committed timeline. No surprises.