This page has been robot translated, sorry for typos if any. Original content here.

25 .htaccess rules that every web developer should know

On this topic:

Файл-конфигуратор Apache-серверов .htaccess

Before we begin, I draw your attention to the fact that the abuse of .htaccess may result in a decrease in the performance of your site. The main rule: to use .htaccess for the implementation of a particular task is only if there are no other options.

Make sure you back up the original .htaccess file for your site before making any changes. In addition, remember - the operation of the rules below depends on the individual settings of your web server, specified by the hoster. Some directives may be prohibited and not work.

.htaccess (from. English hypertext access) - additional configuration file for the Apache web server, as well as similar servers. Allows you to set a large number of additional parameters and permissions for the web server in separate directories (folders), such as managed access to directories, reassigning file types, etc., without changing the main configuration file.

The .htaccess file can be placed in any directory . The directives of this file affect all files in the current directory and in all its subdirectories (unless these directives are overridden by the directives of the underlying .htaccess files).

In order for these .htaccess files to be used, the appropriate settings of the main configuration file are necessary (the value of the AllowOverride directive must be set to All ). As a rule, the vast majority of hosters are allowed to use their .htaccess files.

1. We prohibit downloading files from external sites

Are you tired of people who post pictures that are published on your site - on their own resources, thereby consuming your traffic and creating an unnecessary load on your hosting? This code, located at the end of your .htaccess file, will prevent third-party sites from downloading your images.

	 Options + FollowSymlinks
	 # We prohibit downloading files from external sites
	 RewriteEngine On
	 RewriteCond% {HTTP_REFERER}! ^ $
	 RewriteCond% {HTTP_REFERER}! ^ Http: // (www.)? [nc]
	 RewriteRule. *. (Gif | jpg | png) $[nc] 

Do not forget to change to your domain name and create an image stop.gif that will be shown instead of the requested picture.

2. Block all requests from unwanted User Agents

This rule allows you to block unwanted User Agents, which can be potentially dangerous or simply overload the server with unnecessary requests.

  # Block bad bots and robots
 SetEnvIfNoCase user-Agent ^ FrontPage [NC, OR]
 SetEnvIfNoCase user-Agent ^ Java. * [NC, OR]
 SetEnvIfNoCase user-Agent ^ Microsoft.URL [NC, OR]
 SetEnvIfNoCase user-Agent ^ MSFrontPage [NC, OR]
 SetEnvIfNoCase user-Agent ^ Offline.Explorer [NC, OR]
 SetEnvIfNoCase user-Agent ^ [Ww] eb [Bb] andit [NC, OR]
 SetEnvIfNoCase user-Agent ^ Zeus [NC]
 Order Allow, Deny
 Allow from all
 Deny from env = bad_bot

The User Agent list of browsers, robots and search engine spiders, web directories, download managers, spam bots and bad bots can be found on the List of User-Agents website .

3. We deny access to all but the specified IP addresses

If for any reason you want to deny all or allow only individual IP addresses to access your site, add this code to your .htaccess file:

	 # Deny access to all but the specified IP addresses
	 ErrorDocument 403
	 Order deny, allow
	 Deny from all
	 Allow from
	 Allow from 

Remember to change to your domain name.

4. Customize SEO-Friendly 301 Redirect

If you transferred a domain name (or your own sub-site) or want to redirect the user to a specific page (s), without sanctions from the search engines, use this code:

	 # Customize SEO-Friendly 301 Redirect
	 Redirect 301 /1/file.html 

Remember to change to your domain name, and /1/file.html and /2/file.html to the appropriate directories and pages.

5. Create your own error pages.

Are you tired of the standard view of error pages? No problem - with the following code, you can easily create your own page and show it to the user:

	 ErrorDocument 401 /error/401.php
	 ErrorDocument 403 /error/403.php
	 ErrorDocument 404 /error/404.php
	 ErrorDocument 500 /error/500.php 

<Don't forget to create an error folder in the root directory of your server and place the appropriate files in it. / P>

6. Create a black list of IP addresses

Tired of spam comments or a specific user? Just block its IP with the following code added to the .htaccess file.

	 # Create a black list of IP addresses
	 allow from all
	 deny from

You can find the IP addresses of commentators either in the Apache logs or using the statistics services. Many CMS have their own built-in tools for monitoring the addresses of visitors. For example, in Drupal, the IP addresses of commentators can be seen in the administrative panel - Reports.

7. Set the default e-mail address for the administrator.

Use this code to set the default e-mail address for the server administrator.

	 # Set the default e-mail address for the administrator
	 ServerSignature EMail

Do not forget to replace with your e-mail address.

8. Protecting a specific file.

The following code allows you to deny access to any file — when requested, an error 403 will be issued. For example, I have closed access to the htaccess file itself, increasing the overall security level of the site.

  # Protecting the .htaccess file
 order allow, deny
 deny from all

9. Compress elements with mod_deflate

As an alternative to compressing files with Gzip, you can use mod_deflate (presumably it works faster). Put the following code at the beginning of your .htaccess file (you can also add .jpg | .gif | .png | .tiff | .ico) enumerations:

  # Compressing elements with mod_deflate
 SetOutputFilter DEFLATE

10. Add Life To Headers

This code allows you to add lifetimes to the headers:

  # Add lifespan to headers
 Header set Expires "Wed, 21 May 2010 20:00:00 GMT"

11. Set default pages

Usually the default page is index.html, but with this code you can configure any other page by default.

	 # Set an alternative page by default
	 DirectoryIndex about.html 

12. Password protect folders and files.

You can enable password checking for access to any folder or file on your server using this code:

  # file password protection
 AuthType Basic
 AuthName "Prompt"
 AuthUserFile /pub/home/.htpasswd
 Require valid-user
 # password protect folders
	 AuthType basic
	 AuthName "This directory is protected"
	 AuthUserFile /pub/home/.htpasswd
	 AuthGroupFile / dev / null
	 Require valid-user 

In order to organize access to the file with a password, you need to create a .htpasswd file and enter the login-password pair in the format user: password .

However, in this case, passwords will be stored in clear text, which is not very good from a security point of view. Therefore, the best password to encrypt. To do this, use the services of generating records in the .htpasswd files. For example, like this .

In our example, the file with access passwords is in the root directory of the site and is called .htpasswd. The directory is specified from the root of the server and if the path is incorrect - Apache, not having received access to the file, will deny access to the folder to any user - in the chiles and the one that entered the correct login: password .

13. Redirecting from the old domain to the new one.

Using .htaccess, you can set up redirection from the old domain name to the new one by adding the following code:

	 # Redirecting from the old domain to the new one
	 RewriteEngine On
	 RewriteRule ^ (. *) $ Http://$1 [R = 301, L] 

Redirection is used if you transfer your existing site to a new domain name. In this case, any user who types in the address bar will be redirected to

14. We strengthen caching

Using this rule does not mean a direct acceleration of loading your site. It is intended for faster loading of the site - for a visitor who has already visited him, by sending the status 304 for those elements that have not been updated.

  # Enhance caching
 FileETag MTime Size
 ExpiresActive on
 ExpiresDefault "access plus 1 year"

Thus, when reloading the page, the visitor's browser will not re-download images, scripts or CSS, but will output those files that are already stored in its cache. You can change the cache lifetime by adjusting its value in years (year), months (month) or, for example, seconds (seconds). In the example, 1 year is indicated.

15. Compressing site components by enabling Gzip

When using Gzip , the server will compress the files before sending them to the user, which means your site will load faster.

	 # Squeeze site components by enabling Gzip
	 AddOutputFilterByType DEFLATE text / html text / plain ..
	 .. text / xml application / xml application / xhtml + xml .. 
	 .. text / javascript text / css application / x-javascript
	 BrowserMatch ^ Mozilla / 4 gzip-only-text / html
	 BrowserMatch ^ Mozilla / 4.0 [678] no-gzip
	 BrowserMatch bMSIE! No-gzip! Gzip-only-text / html 

Please note that the inclusion of compression will lead to a greater load on the server's processor. Here, the AddOutputFilterByType string is written in one long line with the bottom two (all .. you need to remove).

16. Remove “category” from URL

To change link to , just add the following code at the end of your .htaccess file.

	 # Remove category from URL
	 RewriteRule ^ category /(.+)$$1 [R = 301, L] 

Be sure to change to your domain name.

17. We prohibit viewing the contents of the folder.

In order to limit access to directories that may contain a variety of information and to ensure server security, add this code to the .htaccess file

	 # Do not view the contents of a folder
	 Options All —Indexes 

18. Redirecting your RSS feed to FeedBurner

Let us show how this can be done on the example of the Drupal RSS feed for the Google Feedburner service.

  # Redirect the Drupal RSS feed to FeedBurner
 RewriteEngine on
 RewriteCond% {HTTP_USER_AGENT}! FeedBurner [NC]
 RewriteCond% {HTTP_USER_AGENT}! FeedValidator [NC]
 RewriteRule ^ rss.xml $ [R = 302, NC, L]

Initially, you must register your blog feed with Feedburner . Next, do not forget to replace yourfeed with the name of your feed already in Feedburner.

19. Forbid comments from users without Referrer

Most often, spam bots access the comments file directly, for example, wp-comments-post.php , without visiting the pages of your blog entries. The code below allows you to block comments sent by users who came "from nowhere", allowing you to comment only on readers who have moved to your blog page from any other pages (for example, Google search results).

	 # Forbid comments from users without Referrer
	 RewriteEngine On
	 RewriteCond% {REQUEST_URI} .comment \ / reply \ / *
	 RewriteCond% {HTTP_REFERER}!. * * [OR]
	 RewriteCond% {HTTP_USER_AGENT} ^ $
	 RewriteRule (. *) ^ Http: //% {REMOTE_ADDR} / $ [R = 301, L] 

Do not forget to replace with the domain name of your blog.

20. Remove the file extension from the URL

This code allows you to remove the extension of the .php file (you can change it to any other, for example - .html) from the URLs of the pages.

	 # Remove the file extension from the URL
	 RewriteRule ^ (([^ /] + /) * [^.] +) $ /$1.php [L] 

21. Protecting the site

This code allows you to protect your site from scripts enjection and unwanted _REQUEST and / or GLOBALS modifications:

  # Turn on the tracking of sim links
 Options + FollowSymLinks
 # Run url_rewriting
 RewriteEngine On
 # Block all links containing <script>
 RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR]
	 # Block all scripts that are trying to change PHP Globals variables:
	 RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0,2}) [OR]
	 # Block all scripts that are trying to change the _REQUEST variable:
	 RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0,2})
	 # Redirect all similar to the page with error 403 - prohibited
	 RewriteRule ^ (. *) $ Index.php [F, L] 

22. Redirecting the visitor using the RedirectMatch directive and regular expressions

Another useful directive recommended for use is RedirectMatch . Quote: "This directive allows the use of a regular expression as the requested address (sending is not" from the document ", but" from all documents, such as ... "). External redirect - the browser is informed about the need to load another page.


	 RedirectMatch [status] regexp URL 

Status values ​​(web server return code) are standard:

permanent (301 - permanent redirect), temp (302 - temporary redirect, come again), seeother (303 - fly there, there is a lot of tasty), gone (410 - deleted forever).


The same redirection from the old domain to the new one without connecting RewriteEngine:

	 RedirectMatch 301 ^ (. *) $$1 

From myself I will add that you can use not only http-statuses , but also other conditions:

	 RedirectMatch (. *) \. Gif $ http: //$1.png
	 RedirectMatch (. * \. Jpg) $ http: //$1 

Be sure to back up the .htaccess file before making changes and check the performance of the entire site - after adding new lines.

23. Protection from direct links to images via .htaccess

Hotlink (Hotlink) - inserts direct links to images or files from one site to another. This technique is used quite often, for example, you do not have enough space on your server to store pictures and you use some free service for storing image files, i.e. upload a picture, get a URL and paste it into your site.

Bottom line: you save space for your website and use hosting bandwidth for images, but this is not your business. But how to be if someone decided that your site can be used as a similar service.

How not to become a free supplier of images and files?

Is there any protection against this? Yes there is! To prevent other sites from using your traffic and / or simply provide direct links to your files (pictures), add the following lines to your .htaccess file:

	 # Ban other sites from using direct links to your pictures
	 RewriteCond% {HTTP_REFERER}! ^ $
	 # Further list of allowed domains
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? * $ [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? 80. * $ [NC]
	 # IP of the site (domain)
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: //*$ [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // 80. * $ [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Google.  [NC]
	 # RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Domain_of a friendly [NC]
	 RewriteCond% {HTTP_REFERER}! Search? Q = cache [NC]
	 # File formats for which protection is set
	 # Displays error 403
	 # RewriteRule \. (Jpe? G | bmp | gif | png | css | mov | swf | dcr | exe | rar | avi | vob | zip | pdf | txt | doc | flv | mp3 | mp4) $ - [NC, F, L]
	 # or shows special drawing instead of the specified
	 RewriteRule. * \. (Jpe? G | bmp | gif | png) $ files / images / nohotlink.jpg [NC, L] 

As a result, all other sites will receive a 403 Forbidden error (i.e. Access is denied ) and your bandwidth “no longer works for others.”

24. ImageCache and hotlink protection via .htaccess

For ImageCache, the previous item will not work, so we add the following settings:

  SetEnvIfNoCase Referer “^ $” local_ref = 1
 # Allowed domains
 # Further allowed domains
 SetEnvIfNoCase Referer "^ http: // (www \.)? Domain \. En" local_ref = 1
 SetEnvIfNoCase Referer "^ http: // (www \.)? Domain \ .com" local_ref = 1
 # File extensions that you want to protect
 # File extensions to protect
 Order Allow, Deny
 Allow from env = local_ref

Now we have both hotlink protection and ImageCache module - together they work perfectly. One “but” - in the way that you see it will not be possible to produce another picture; only the protection of their images, which is the main goal.