Skip to content

Using .htaccess

.htaccess is a file, that enables local overrides of Apache configuration, without having to edit the server configuration. The settings defined in .htaccess apply to the directory it is saved in and all its subdirectories.

Beware, a lot of CMSs have their own .htaccess files and the rules defined there are required for their operation. In that case, you should not overwrite it, but append your rules, while carefully checking, that they are not in conflict.


This is a simple way to enable authentication for your website.

AuthUserFile .htpasswd  
AuthType Basic  
AuthName "Text shown in the pop-up login window"  
Require valid-user 

If you have SSH access to the server, you can generate the .htpasswd file directly:

htpasswd -bc .htpasswd user password

If have neither SSH access, nor any other available Linux system (htpasswd command is part of the apache2-utils package), you can use an online generator:

However, this is a security risk, as you have no guarantee, that the author of the website does not save the generated passwords.

Rewrite rules

Rewrite module allows you to redirect, spoof and alter URLs. It has broad usage, so we will showcase several common usage scenarios. If you want to use rewrite rules in your .htaccess file, you first need to enable them:

RewriteEngine On

Redirect to www subdomain

RewriteCond %{HTTP_HOST} ^exampledomain\.com [nc]  
RewriteRule (.*)$1 [R=301,QSA,L]

Redirect to a different domain, including the request URI

RewriteCond %{HTTP_HOST} somedomain\.com [NC]  
RewriteRule ^/(.*)$$1 [R=301,QSA,L]

Simple spoofing

RewriteRule requested\.php /spoofed.php  
RewriteRule ^requested-page /spoofed.php  
RewriteRule ^requested-content /index.php?page=requested  
RewriteRule ^news/ /index.php?category=news&page=1&sort=newest

Spoofing a pretty URL with variable

The following rule will tranform to

RewriteRule ^hoover-(.*) index.php?category=products&type=hoovers&id=$1 [QSA,L]

The difference between spoofing and redirecting is, that with spoofing, the URL in the browser does not change, but clients is served the content of the spoofed URL with 200 HTTP return code. On the other hand, redirect will change the URL and return 301 or 302 HTTP return code.

You can find more examples in the official documentation:


Furthermore, you can set up simple redirect without using mod_rewrite.

Redirect 301 /old-file.php /new-file.php  
Redirect 301 /old-page.html  

Custom error documents

You can also set up custom error pages:

ErrorDocument 401 /errors/authorization-needed.php  
ErrorDocument 403 /errors/access-denied.php  
ErrorDocument 404 /errors/not-found.php  
ErrorDocument 500 /errors/internal-server-error.php  
ErrorDocument 503 /errors/temporarily-unavailable.php  

Directory listing

By default, when trying to access a directory without index.php, the server returns 403 Forbidden response. If you would like to list the directory contents instead, you can achieve that with the following directive.

Option +Indexes