Advertising disclosure

Hosting Canada is community-supported. We may earn a commission when you make a purchase through one of our links. Read Disclosure.

Complete Guide to .htaccess Files

Among the various tools and methods available for customizing your web server, the.htaccess file is a great asset.

Perhaps the simplest and most straightforward tool used by webmasters today, it can dictate the way a site runs and operates “under the hood.” With a few simple additions to your .htaccess file, you can reset the document types quickly, do easy URL redirects, parsing engine and many other useful features for managing and smoothly running a website.

Anyone hoping to effectively manage their website will need to know how to manage their .htaccess file. So, we’ve put together this beginner’s guide to serve as a comprehensive resource for using .htaccess.

We tried to cover everything you need to know about .htaccess and its many use cases. You’ll learn the basics as well as see specific code samples with a brief explanation for practical implementation of each one.

Sound good? Let’s get started.

What is .htaccess?

We can define .htaccess as config file (configuration file) that is being used on the web server for running the software called Apache Web Server.

When you place the file .htaccess in a particular web directory, it is loaded through the Apache software and the .htaccess file is then get detected and the instructed execution is done accordingly by Apache Web Server software. The Apache Web Server configuration can be altered by the .htaccess files to disable/enable the additional functions and features offered by the Apache software.

It includes the basic redirect function, for example, when 404 error happens, or advanced functionalities such as image hotlink prevention and password protection of content.

Using .htaccess

The name .htaccess isn’t a filename extension but a filename in full. For example, you wouldn’t create any such file named ‘file.htaccess’, because it’s simply called ‘.htaccess’. When you will place this file in any directory, it will take effect and get loaded through the software Apache Web Server. And the .htaccess file will show its instructed effect in all the files, subdirectories and overall the entire directory where it is being placed.

By using any of the trusted text editor like Microsoft WordPad, UltraEdit, VIM, and TextPad, you can create a .htaccess file. But note: Microsoft NotePad cannot be used.

An example code below showing what can be included in your .htaccess file.

AuthName "Name of Member’s Area"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
Require valid-user
ErrorDocument 401 /error_pages/401.html
AddHandler server-parsed .html

The above example is fairly advanced. In it, password protection is enabled on the directory, it redirects to an error page which is customized to display as such in case of login failure by a user, and it also enables Server Side Includes (SSI) to be used with ‘.html’ files. That might sound like technical mumbo-jumbo, but fret not – it’s’ quite simple after you get some understanding, so bear with us.

As we mentioned before, this article contains specific examples that’s ready-to-use, you just need to copy them, and paste them, and finally customize them as per your business needs. Also, there is a detailed explanation of the examples so that you can understand what is the function of each line and its need for you.

Once the .htaccess file is created – ie, the code contained therein may look like the aforementioned (or it may contain a single line) – just upload it. Use a File Transfer Protocol (FTP) program to do this. There already should be one that you used for uploading your website content. IF you don’t have, you can get from many free websites like, WSFTP, or CuteFTP are all free and easy to use FTP clients.

When you upload your .htaccess file, it’s essential that you upload your file in the ‘ASCII’ mode. ‘BINARY’ and ‘ASCII’ are two different modes through which the data can be transferred, but while transferring .htaccess file it is very important that the your transfer your files using ‘ASCII’ mode only and not the ‘BINARY’ mode. It’s likely that by default the FTP software would be in ‘BINARY’ mode so find for ‘Transfer Type’ or ‘Transfer Mode’ in the menu option.

To upload your .htaccess file, use the directory where you want the file to show its effect. After uploading, use your browser to visit the directory and check whether it worked properly or not.

Note here, that after uploading the.htaccess file might not be visible on your web site’s file directory listings. But do worry, as it means that your FTP software or server is hiding it, which is not an issue.

There are possible chances of errors if file permissions are not correctly set on your .htaccess file. Only in certain servers, this type of problem occurs, but the permission of the file may be changed to ‘executable’ or ‘755’. This can be done with the software FTP, for that you need to find ‘CHMOD‘ option or a ‘File Permissions’ and input ‘0755’.

In case the .htaccess file doesn’t work, contact your web hosting service provider or system administrator and ensure that they’ve .htaccess enabled in your account. Use without permission is not allowed by some hosting companies. So, if the error persists, talk to your system administrator and ask for their help.

Document Errors

When a web server gets a request, it tries to respond to the request, generally by delivering documents (that involves HTML pages), or by accessing the application with output in return (in case of other web apps and Content Management System).

An error is generated if anything goes wrong at this step, and there are unique codes (re: numbers) for each different type of error. You’re probably familiar with the most common 404 error that displays when a server cannot find a document.

If the error handling type is not specified by you then the browser will simply get the message from the server, and a generic message will be displayed by the browser. But this is not ideal.

Creating a custom error page is always beneficial as it shows a friendly and customized error message to your visitors if any URL of your website is not working. Thus, you can avoid those annoying ‘404 error that shows File Not Found’ and show an custom error, guiding your visitors back to your website content and explaining the possible solutions, rather than feeling them lost and frustrated. Here’s an example of a fun and cute 404 page from Lego, with a Lego man and his motto:

For setting customized error documents, you’ll need to make .htaccess file by following the guidance and the main instructions that included below.

ErrorDocument 404 /error_page/404.html

Lines above will tell Apache Web Server for showing the document which is located at the address /error_page/404.html (that’s under your website address/domain name) when a 404 error happens.

In the above example, it is assumed that the error document is created by you and named it as ‘404.html’ and you placed it within your domain in a directory named ‘error_page’. Example, it will be like

Like any other HTML document, the 404.html also is a normal document on your website and it can show any content you wish it to display, however, it is recommended to include a message i.e, ‘File Not Found’.

For setting up more error documents such as ‘403 Forbidden’, ‘500 Internal Server’, and ‘401 Unauthorized’ error message, you need to make a .htaccess file by following the guidance and the instructions including the text below.

ErrorDocument 401 /error_pages/401.html
ErrorDocument 404 /error_pages/404.html
ErrorDocument 500 /error_pages/500.html

It’s always good to show a custom error message to your users but it’s more important to resolve such type of errors. Instead of static HTML documents, use CGI script as error document for recording the errors in the database and do their resolution.

Again, if this sounds complex don’t worry: setting up a custom 404 nowadays is easy thanks to the availability of various pre-made solutions which show the errors that we get most frequently. Some examples are and the CGI Resource Index.


A URL redirect is one of the most common uses of the .htaccess file. It is used when the URL of a document has changed. Redirects allow redirecting the visitors of your website from one specific document to another.

It’s useful, for instance, if your website content has been moved and you want to redirect your visitors from the old links that new location. This is helpful if you have changed the domain name or reorganized your website.

For setting up redirects, you need to make a .htaccess file by following the guidance and the instructions including the text below.

Redirect /old_dir/

The codes above will instruct your Apache Web Server to display the ‘index.html’ document located in ‘new_dir’ directory if there is a visitors’ request to display ‘old_dir’ directory.

Here in the above example, you can see that ‘old_dir’ is the document location that the visitor can request, and it is a directory or document located in your actual domain. So, in the above example, the ‘old_dir’ directory to be located in ‘’. You’ll also notice that the file location where the visitors are redirected is a complete website URL and isn’t a relative URL for case of ‘old_dir’. It means that the visitors can be redirected to the folder ‘old_dir’ to any website document, it doesn’t necessarily need to be there in your website content and it could be any website.

It’s important for you to know the differences between a full/absolute URL and a relative URL as it’s one of the most common causes of error too. A full or absolute URL includes the complete domain name. Relative URL is the document location within the website, it doesn’t include the website domain name.

An example of a full/absolute URL would be ‘’. And an example of relative URL would be ‘/directory/file.html’.

301 vs. 302 Redirects

301 and 302 are the two types of redirects from a browser standpoint. Here 301 means “Moved Permanently”, whereas, 302 means “Temporarily Moved”. 301 is used in most of the cases as it preserves the SEO equity that the old URL might have and redirects it to the new page.

302 redirects have little to no use as there is hardly any reason to change a URL temporarily. Sometimes changing URL is necessary though it’s undesirable. Temporarily changing the URL with the plan to change it to the original URL later is a bad idea and is avoidable most of the time.

Redirect vs Rewrite

You can use .htaccess directives to change a URL in two different ways, one is the Redirect command and another one is the mod_rewrite engine. The browser gets a redirect message through the Redirect command that tells it what other URL it needs to look for.

And the mod_rewrite translates the requested URL into something that the CMS or the file system will understand and the request will be handled as if the translated URL was requested URL. Using it this way, anything happened is not noticed by the web browser and the content asked for is received.

You can use a mod_rewrite tool for producing 301 redirects that work in the same way as Redirect command works but with more rule options. The mod_rewrite can have complex rewriting instructions and pattern matching which can’t be taken advantage of by Redirect.

Password Protection

One of the most important uses of .htaccess is the authentication systems and password protection offered by Apache Web Server. We can protect one or multiple directories of a website easily with password protection that would need user name and its password for accessing it.

The web browser automatically handles the login process of such secure and safe directories using a login interface that pop-ups (you probably have seen it before). The best method of encryption is used to encrypt the password to ensure the security of the login credentials. Here in this part, the authentication system of .htaccess will be discussed in detail and we’ll explain the setup process of protecting password and also cover related helpful information.

To start with, firstly decide the directory that you need to password protect with (note here that all subdirectories and files in that directory will also be protected by password), after deciding to make a .htaccess file by following the guidance and the instructions including the text below.

AuthName "Member's Area Name"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
Require valid-user

In the above code, from the top line, your Apache Web Server knows that ‘Member Area Name’ is a secure and safe directory and it will get displayed on the appearance of login pop-up prompt. The password file location is specified by the second line. Type of authentication is specified by the third line, in the above example, we used ‘Basic’ as we used the HTTP authentication.

And then the requirement of login credentials validity is finally specified in the fourth line, you can also use this line for specifying any specific username, for example, ‘require user username’ will need ‘username’ as the username. This you can use for administration area password protection, instead of setting a public directory for password protection.

The password file may be located anywhere on the web server, it must that you replace ‘/location/of/password/file’ with absolute/full URL of the directory that contains password file and the file ‘.htpasswd’ must exist, however, this you can call anything. Here we used ‘.htpasswd’ as the filename as it will be recognized by the server and will be hidden from the visitors.

Note, here, that there are some servers that need that same directory location of both password file and .htaccess file. Also, it’s essential to use an absolute/full path for locating password file as a relative URL path or any of the other variation of the URL won’t work.

The content of password file will be similar as the text below.


The password cannot be just made up, the server must encrypt them on Linux/Unix server, but use plain/simple text password on the Windows server as the encryption method is not offered by Windows. There can be any number of records of users in your password file but only one account a row, and use a colon to separate username and password.

By setting a directory that’s password protected you can provide a member’s area. Providing a member’s area is an excellent way to track your website visitors and it’s also a great way to bring a feel of community on your website. Asking for registration to access your web content allows you to collect any required information of your visitors such as their professional status, sex and their residential country.

Due to the wide range of pre-built solutions that are widely available over the net, it is very easy to set up such systems, most of them can be easily set as initial website content. Two more solutions are offered by ionix that has proven to be quite popular, and one such solution is ‘Locked Area’ that’s available on the net for more than 8 years and used by more than fifty thousand websites.

It’s a simple, effective and completely free management system to manage member’s area that you can use to set-up a member’s area that’s secure to store all your content, also it contains a member’s registration area for your website visitors for allowing them to access the member’s area by registering and it also includes an administration panel from where you can email the members and manage accounts.

Ionix offers another product called ‘OpenCrypt’. It’s a membership management solution by ionix enterprise solution. It offers facilities like a statistical system for analysis and one of the versatile registration systems. Both the products manage your content’s security by ensuring that no visitor can access the member’s area without registration. Also, ‘OpenCrypt’ offers the facility to prevent the visitors to share their details of login; this facility is especially useful for high-demand websites.

Note here, that a logout facility isn’t possible to facilitate to the visitors so the browser cache the login credentials until the visitor closes the browser, so your visitor can leave your website and return later without needing to log in again. If the visitor closes the browser and again opens it, login details get automatically deleted from cache also they get a prompt as pop-up. The facility of log-out has been in discussion for quite a long and different methods have been also given but as none of them are reliable and effective enough to be worth discussing.

Block the visitors through IP address

The facility to block visitors provided by Apache Web Server allows you to deny or allow access to some of your specific visitors. The function is very useful to block not required visitors or it is also used to allow access only to the website owner to access a specific section of the website like the admin area.

To block visitors and setting up restrictions, make an .htaccess file by following the guidance and instructions that include the text below:

Order allow, deny
Deny from 622.0.5.1
Deny from 255.64.4.
Allow from all

The deny lines above instruct Apache Web Server for blocking the visitors accessing through their IP address ‘622.0.5.1’ and ‘255.64.4.’. Note here, that the fourth digit sets are missing in the second IP address, so it means that an IP address that will match the first three digit sets will get blocked, for example, ‘’ and ‘’ will also be blocked.

For allowing yourself and block all other visitors, make an .htaccess file by following the guidance and main instructions that include the text below:

Order allow, deny
Allow from 622.0.5.1
Deny from all

The lines above will instruct Apache Web Server for blocking all the visitors accessing from any other IP except IP address ‘622.0.5.1’ that should be replaced with your IP.

After the ‘order allow, deny’, you can add unlimited ‘deny from’ and ‘allow from’. Note that in the bottom line the instruction ‘deny from all’ and ‘allow from all’ should be changed according to the requirements. Buy for restricting visitor access, use ‘deny from all’ and place the ‘allow from’ line above it.

The visitors that get blocked will get a message of ‘403 Forbidden’. This error message of error can be customized, for that you need to follow the ‘Document errors’ part mentioned above.

Block the visitors through referrer

A website containing a link to your website is a referrer. When a page link of your website is followed by someone, then the site from where they come from is called as the referrer. Apache Web Server offers the facility to block visitors that allow you to deny the access of specific visitors on the basis of where they are coming. If you look at the logs and you notice an increase in your traffic surprisingly but with no increase in the actual file request, then most probably someone is pinching the content like the CSS files or doing hacking attempt on your website (this simply means to try to find the content that’s non public).

Enable ‘mod_rewrite’ on your server to use this functionality. Because of the demands in system resources, it’s not so likely that it’s enabled so ensure checking with your hosting company or system administrator.

For setting up a single referrer, you need to create an .htaccess file by following the guidance and the main instructions that include the text below.

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomainname\.com [NC]
RewriteRule .* - [F]

Codes above will instruct Apache Web Server for blocking the traffic from ‘’ URL. The text ‘NC’ after it shows it isn’t case-sensitive. It stops traffic from ‘’, ‘OTHERDOMAINNAME.COM’, ‘’, and so on.

For setting up multiple referrer blocks, you need to make an .htaccess file by following the guidance and main instructions that also includes that text below.

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomainname\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherdomainname\.com
RewriteRule .* - [F]

The lines above will tell an Apache Web Server to block the traffic from URL ‘’ and ‘’. Note here that the backslash (\) placed before the ‘.com’ i.e, ‘domainname\.com’ is important. The difference between single referrer blocking and multiple referrer blocking is the [NC,OR] text in multiple referrer example above, it should be there after every domain only but not in the last one.

If you see the line above “Options +FollowSymlinks”, you can notice it is commented by hash ‘#’. If the server shows an error of ‘505 Internal Server’, then uncomment this line. It shows that in section ‘httpd.conf’, your server is not configured with FollowSymLinks. So, for getting advice on this issue, contact your system administrator.

The referrers blocked will get an error message of ‘403 Forbidden’. You can customize the 404 error following the above ‘’Document Errors’ part of this article.

Hotlink prevention techniques

Stopping other websites from showing your content or files is referred to as hotlink prevention. Commonly it’s used to stop other websites from showing your image content but it can also be used to stop the ones using your CSS or Javascript files. But the problem of hotlinking technique is that it consume your bandwidth that costs you money, so hotlinking technique is often termed as ‘bandwidth theft’.

.htaccess can be used to stop other websites from using or sourcing your web content, and it can even in turn show different content. For example, it’s very common to show what’s referred to as ‘angry man’ image in place of the originally desired image.

Note here that this functionality needs that you enable the ‘mod_rewrite’ on your web server. Because of the demands on the system resources, it’s not common that it’s already enabled so assure checking with your hosting service provider or system administrator.

Make a .htaccess file and follow the guidance and main instructions along with the text below to set-up hotlinking to prevent ‘.jpg’, ‘.css’ and ‘.gif’ files.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
RewriteRule \.(gif|jpg|css)$ - [F]

The code above will instruct Apache Web Server for blocking links to ‘.jpg’, ‘.css’ and ‘.gif’ files that aren’t coming from ‘’. Ensure that you replace the ‘’ with your original website address before uploading the .htaccess file.

For setting up hotlink prevention for ‘.jpg’, ‘.gif’ files that show alternate content like an angry man image, you need to create an .htaccess file and follow the guidance and the main instructions in addition to the text below.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
RewriteRule \.(gif|jpg)$ [R,L]

The code above will instruct the Apache Web Server to block the links to ‘.jpg’ and ‘.gif’ files that are not from ‘’ and instead the file that’s to be shown is ‘’. Make sure to change ‘’ with your appropriate website address before you upload the .htaccess file.

To block offline browsers and ‘bad bots’

“Offline browsers” can be defined as the software pieces that download the web page by following any other web pages’ links, downloading the images and the content. This has an innocent purpose, so the website can be browsed by the visitor after logging off their net and even without any internet connectivity. But the bandwidth usage and server demand costs money and could get expensive.

Probably the most annoying thing about website management is discovering that your bandwidth being consumed by the non-human visitors like crawlers, bots and web scrapers. Often referred to as bad bots are the programs that visit your website, either to scan email addresses, find security loopholes or source your content.

It’s because your mail id often gets on ‘Spam’ databases, it is because they’ve ‘bot’ programmed to scan the net and collect all the email addresses. Such ‘bots’ and programs ignore the predefined rules in ‘robot.txt’ files. Such programs are designed to fetch information from your website, generally for republishing it for nefarious SEO operations. Of course, there are some legitimate bots like the ones from the major search engines but the rest of them are like pests that eat away your resources without delivering any value to you. Hundreds of bots are identified but you will not be able to block all of them. You can only keep their activity down simply by blocking as many bots as you can.

Here we have provided some useful examples of blocking site rippers and some common ‘bots’ below. For this, you need to make an .htaccess file by following the guidance and the instructions that include the text below.

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]

DirectoryIndex uses

The command directoryindex lets you to display a specified default page whenever accessing a directory. Say, for example, if a directory is requested by a visitor on your website, you can set up to load the specified file while accessing the directory (if there is no specified filename in the request done initially). For example, for displaying an ‘index.html’ file instead of displaying directory listings and for loading an ‘index.php’ file instead of an ‘index.html’ file.

For setting up directoryindex, you need to make an .htaccess file by abiding the below guidance and main instructions that include the below code:

DirectoryIndex index.html

Apache Web Server will get the instruction to show the ‘index.html’ file through the above code, wherever .htaccess (or other subdirectory) file contained in the directory is accessed.

You can do a directoryindex set up for calling multiple files by making use of the text below:

DirectoryIndex index.html index.cgi index.php

This code above will instruct Apache Web Server to show the file ‘index.html’ as directoryindex, if that file isn’t there then show ‘index.cgi’, and if that isn’t there then show ‘index.php’.

In case the files specified aren’t there, then Apache Web Server would take back to its settings that’s there by default, either by showing directory listings are not available message, an error message, or showing directory listings for directories and files (we can prevent this and this is discussed in the section ‘disable directory listings’ below in this article).

To add MIME types

What file is it is set by MIME types or rather we can say it defines what file types are referred by what file extensions. For example, the file extension ‘.zip’ refers to ZIP extension file and a file extension ‘.html’ refers to an HTML document.

To deal with the file correctly, the server generally needs this info. MIME types are named so due to their connection with email (Full form of MIME is “Multipurpose Internet Mail Extensions”). MIME means a specific format to specify the file type so they are not just called ‘file types’.

Make a .htaccess file by abiding the guidance that includes the below text and main instruction to set up a MIME type.

AddType text/html htm0

The added MIME type is specified by ‘AddType’. MIME type is specified by the second part, in the above case, its HTML or text, and the file extension is the last part which is ‘htm0’ in the example above.

With the below text code, you can resolve the commonly faced issue of SWF or MP3 files not getting played.

AddType application/x-shockwave-flash swf

There is a trick for forcing the download of a file through the ‘Save As’ feature there in web browser, just set type of MIME to octet-stream/application and there will be an immediate download prompt by the browser. Note here, this doesn’t work in some Internet Explorer versions.

The list of different types of MIME and the associations are given below. If your website is managed by you, and you know the file types you publish the resources in, then you don’t need to paste this full list of codes in your .htaccess file. But if your website has many other people who publish and contribute content to, then you may want to allow many different types of files to prevent any type of bad experience to any user. It is especially if your website has people with a lot of file-sharing activity, for example, a web app (where email handling is there) or a project management application (where many files are attached to a single project).

AddType text/html .html .htm
AddType text/plain .txt
AddType text/richtext .rtx
AddType text/tab-separated-values .tsv
AddType text/x-setext .etx
AddType text/x-server-parsed-html .shtml .sht
AddType application/macbinhex-40 .hqx
AddType application/netalivelink .nel
AddType application/netalive .net
AddType application/news-message-id
AddType application/news-transmission
AddType application/octet-stream .bin .exe
AddType application/oda .oda
AddType application/pdf .pdf
AddType application/postscript .ai .eps .ps
AddType application/remote-printing
AddType application/rtf .rtf
AddType application/slate
AddType application/zip .zip
AddType application/x-mif .mif
AddType application/wita
AddType application/wordperfect5.1
AddType application/x-csh .csh
AddType application/x-dvi .dvi
AddType application/x-hdf .hdf
AddType application/x-latex .latex
AddType application/x-netcdf .nc .cdf
AddType application/x-sh .sh
AddType application/x-tcl .tcl
AddType application/x-tex .tex
AddType application/x-texinfo .texinfo .texi
AddType application/x-troff .t .tr .roff
AddType application/x-troff-man .man
AddType application/x-troff-me .me
AddType application/x-troff-ms .ms
AddType application/x-wais-source .src
AddType application/x-bcpio .bcpio
AddType application/x-cpio .cpio
AddType application/x-gtar .gtar
AddType application/x-shar .shar
AddType application/x-sv4cpio .sv4cpio
AddType application/x-sv4crc .sv4crc
AddType application/x-tar .tar
AddType application/x-ustar .ustar
AddType application/x-director .dcr
AddType application/x-director .dir
AddType application/x-director .dxr
AddType application/x-onlive .sds
AddType application/x-httpd-cgi .cgi
AddType image/gif .gif .GIF
AddType image/ief .ief
AddType image/jpeg .jpeg .jpg .jpe .JPG
AddType image/tiff .tiff .tif
AddType image/x-cmu-raster .ras
AddType image/x-portable-anymap .pnm
AddType image/x-portable-bitmap .pbm
AddType image/x-portable-graymap .pgm
AddType image/x-portable-pixmap .ppm
AddType image/x-rgb .rgb
AddType image/x-xbitmap .xbm
AddType image/x-xpixmap .xpm
AddType image/x-xwindowdump .xwd
AddType audio/basic .au .snd
AddType audio/x-aiff .aif .aiff .aifc
AddType audio/x-wav .wav
AddType audio/x-pn-realaudio .ram
AddType audio/x-midi .mid
AddType video/mpeg .mpeg .mpg .mpe
AddType video/quicktime .qt .mov
AddType video/x-msvideo .avi
AddType video/x-sgi-movie .movie
AddType message/external-body
AddType message/news
AddType message/partial
AddType message/rfc822
AddType multipart/alternative
AddType multipart/appledouble
AddType multipart/digest
AddType multipart/mixed
AddType multipart/parallel
AddType x-world/x-vrml .wrl

Enabling SSL using .htaccess

The short form of Server Side Includes is SSI. It is a scripting language that’s lightweight and its primary use it to embed HTML documents to other HTML documents. SSI is the HTML tags that you can add in the HTML documents for calling other content in HTML or CGI scripts.

For Example, it’s particularly useful to add navigation menu at the HTML documents, allowing you for using single document to show navigation menu at rest of the other documents. It not only saves the space in the disk but also saves you effort as you only need to modify a single file for content updation. SSI makes it easy to re-use the commonly used elements such as menus, sidebars, headers and footers on a website.

Here are two HTML tags examples that you will be using for calling the SSI documents. Place them in the HTML document:

<!--#exec cgi="/cgi-bin/script.cgi"-->

Through the above code, CGI script which is ‘script.cgi’ would get loaded that is there in the directory ‘cgi-bin’.

<!--#include virtual="/files/document.html"-->

The above code will call ‘document.html’ (HTML Document) there in the directory ‘files’. It’s important that you a relative URL to be used and not a full URL or a path.

It’s most likely that SSI would function properly on the web server, but rather than ‘.html’ you might need using the file extension ‘shtml’. This may be frustrating for you if your website set up is already using ‘.html’ extensions. In such a case, enable the SSI and follow the below instructions.

Make a .htaccess file by abiding the guidance and the main instruction that include the text below.

AddHandler server-parsed .html

Lines above will instruct Apache Web Server for permitting SSI with ‘.html’ file extension in documents.

If you need SSI to be enabled for more than one file extensions, you need to make an .htaccess file by following the guidance and main instructions that includes the text below.

AddHandler server-parsed .html
AddHandler server-parsed .shtml
AddHandler server-parsed .htm

Lines above will instruct Apache Web Server for allowing SSI with file extension ‘.htm’, ‘.html’, ‘.shtml’.

Enable CGI outside the cgi-bin

In case you are not allowed by your web server to run CGI scripts outside the directory ‘cgi-bin’, CGI can be enabled. Contact your hosting service provider and system administrator before you do so.

For enabling CGI, make an .htaccess file by following the guidance and main instructions that include the text below.

AddHandler cgi-script .cgi
Options +ExecCGI

Codes above will instruct Apache Web Server for firstly allowing the process ‘.cgi’ files as CGI scripts also it will secondly get CGI enabled in directory.

Disabling the directory listings

It could be quite useful to prevent directory listings if, for instance, there is a directory that contains important achieve files i.e, ‘.zip’ or for preventing your directories of images from viewing. Alternatively, it’s also useful for directory listings to enable in case they aren’t available on the web server, for example, for displaying directory listings of the ‘.zip’ files that are important.

For preventing the directory listings, you need to make an .htaccess file and follow the guidance and main instructions that include the text below.

IndexIgnore *

Through the lines above Apache Web Server will get instruction for preventing directory listings for files and directories in the directory that contains the file .htaccess. In the above code ‘*’ is a representation of wildcard that means no files will be displayed by it. Also, the listings of any specific files types only can be prevented, for example, listings of only ‘.html’ files can be shown but not the ‘.zip’ files.

For preventing ‘.zip’ files listings, you need to make an .htaccess file and follow the guidance and main instructions that include the code below.

IndexIgnore *.zip

Code above will instruct Apache Web Server to do listings of all the files except the ones ending with extension ‘.zip’.

For preventing the listings of more than one file types, you need to make an .htaccess file and follow the guidance and main instructions that include the code below.

IndexIgnore *.zip *.jpg *.gif

From the above code, Apache Web Server will get the instruction to do listings of all files but not the ones that end with ‘.jpg’, ‘.gif’, or ‘.zip’.

Alternatively, if directory listings are not allowed by your server and you want them to be enabled; you need to make an .htaccess file by following the guidance and main instructions that include the text given below.

Options +Indexes

From the above lines, Apache Web Server will get the instruction for enabling directory listings in the directory that contains the .htaccess file. This can also be reversed for disabling directory listings just with a replacement of the sign plus (+) before ‘Indexes’ by a minus (-) sign. Example, ‘Options –Indexes’.

A description can also be included by default for directory listings which is shown at page top by adding a file named ‘HEADER’ in that same directory. This file’s contents are shown before directory contents list. Also, a footer can be included by making a file named ‘README’. This file’s contents are shown after directory contents list.

Setting server timezone

Use the below code to set the date timezone of web servers, for example for EST time zone (Eastern Standard Time).

SetEnv TZ America/Indianapolis

Make use of the below code for example for Pacific Time or time of Los Angeles.

SetEnv TZ America/Los_Angeles

Example of other locations includes:

America/Indianapolis - Eastern Standard Time (Indiana, most locations)
America/Indiana/Knox - Eastern Standard Time (Indiana, Starke County)
America/Chicago - Central Time
America/Denver - Mountain Time
America/Detroit - Eastern Time - Michigan (most locations)
America/Boise - Mountain Time (South Idaho, East Oregon)
America/Phoenix - Mountain Standard Time (Arizona)
America/Anchorage - Alaska Time
America/Yakutat - Alaska Time (Alaska panhandle neck)
America/Adak - Aleutian Islands
America/Detroit - Eastern Time - Michigan (most locations)
America/Indianapolis - Eastern Standard Time (Indiana, most locations)
America/Indiana/Knox - Eastern Standard Time (Indiana, Starke County)
America/Chicago - Central Time
America/Denver - Mountain Time
America/Shiprock - Mountain Time (Navajo)
America/Los_Angeles - Pacific Time
America/Juneau - Alaska Time (Alaska panhandle)
Pacific/Honolulu – Hawaii
America/Nome - Alaska Time (west Alaska)

It’s better to reach your system administrator to get more instruction on European and other timezones.

Change the server signature

Use the code below for changing server signature that is being displayed as a part of Apache’s default error documents.

ServerSignature EMail

Above example will change the displayed email address; it’s useful in case the address by default is not correctly set.

Use the code below for completely removing the server signature.

ServerSignature Off

To prevent the access to your PHP includes files

If PHP includes are there in your directory that you don’t wish to directly access from browser, you can disable the directory by using the Mod_Rewrite.

Make an .htaccess file to enable this and follow the guidance along with the instructions that includes the text below.

## Enable the option Mod Rewrite, it’s required only once per .htaccess file
RewriteEngine On
RewriteBase /
## This is for testing the includes directory access
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /includes/ .*$ [NC]
## Check that the requested file has php extension
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
## Forbid Access
RewriteRule .* - [F,NS,L]

In the above code the includes directory is /includes/

Prevent access to php.ini

If your php.cgi or php.ini files are in the risk to be accessed by someone through their web browser, you can limit their access by using .htaccess.

However, the option to edit the php.ini file is not offered by all the web hosting companies. It’s true, especially for shared hosting service providers where hundreds of websites are running by a single PHP installation.

But fortunately, you have a workaround. The php.ini rules can be embedded in your .htaccess file.

For enabling this, you need to create an .htaccess file by following the guidance and the main instructions that include the text below.

<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS

To force the scripts for displaying as source code

To make the scripts to be displayed as source code, in place of executing it, for instance for allowing review, you can achieve this through Remove Handler functionality.

For enabling this, you need to make an .htaccess file by following the guidance and the instructions that include the text below.

RemoveHandler cgi-script .pl .cgi .php .py
AddType text/plain .pl .cgi .php .py

To ensure media files are downloaded instead of being played

You can ensure that any media files instead of being treated by the browser as played are treated as a download.

For enabling this, you need to make an .htaccess file by following the guidance and the instructions that include the text below.

AddType application/octet-stream .zip .mp3 .mp

The above code instructs the Apache Web Server for treating .mp3, .mp4, and .zip as downloadable and they are to be used instead of identifying them as audio/video/zip files in the MIME type.

To Set up Associations for Encoded Files

There are some browsers that can uncompress the encoded information on receiving it.

For allowing a client to see the file that is encoded, you need to make an .htaccess file by following the guidance and the instructions and also include the text below.

AddEncoding x-gzip .gz .tgz
AddEncoding x-compress .Z

The above code will instruct Apache Web Server to treat .tgz and .gz files as to be converted by x-gzip, and the .Z files to be converted by x-compress.

Preventing the requests containing invalid characters

If you want to deny requests that contain invalid characters, you can do so by using Mod_Rewrite. But stay aware that this may break links with certain site setups.

For enabling this, you need to make an .htaccess file by following the guidance and the main instructions that include the text below.

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

Useful Resources

We have compiled below a list of websites and associated resources.

Apache Resources

  • Apache Documentation – The documentation of the main Apache Web Server.
  • Apache Directives – The directives list that is in standard Apache distribution.
  • Apache Tutorial: .htaccess file – The documentation and guidelines of official Apache.

Password Protection Resources

  • – Security resources.
  • CGI Resource Index – Resourced for password protection.
  • – User management resources.

Also, you may be interested in the products below which use .htaccess:

Locked Area – It is a highly sophisticated membership management and password protection system written in Perl.

DirectoryPass – It is a simple yet powerful .htaccess management system.

OpenCrypt – It is a fully automated user/membership management system that’s self-managing and is capable of the multi-domain installations.

Related Guides