Where do I put the .htaccess file?

Drop it in your document root, which is usually called /public_html or /www depending on the host. Once it's there, the rules cascade down through every subdirectory unless a more specific .htaccess overrides them. The leading dot makes it a hidden file on Unix systems, so you'll need to enable 'show hidden files' in your file manager or FTP client to see it at all. Plenty of confusion comes from people uploading the file and assuming nothing happened because they couldn't see it in the directory listing.

Will it work with Nginx?

No, it's Apache-only. Nginx has its own configuration syntax that lives in nginx.conf and the various files included from it, organized into server blocks and location blocks rather than per-directory files. The closest Nginx equivalent to a RewriteRule is the rewrite directive, but the syntax is different and the conceptual model is different — Nginx reads its config once at startup rather than checking a file on every request. If you're moving from Apache to Nginx, you'll need to translate your rules manually rather than copy them across.

How do I redirect HTTP to HTTPS?

The standard three-line block is RewriteEngine On, then RewriteCond %{HTTPS} off, then RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]. The condition fires only when the request came in over plain HTTP, the rule rewrites the URL to its HTTPS equivalent, and the 301 status code tells browsers and search engines that the move is permanent. Running HTTP-only in 2026 isn't really an option — browsers warn users, search rankings suffer, and nothing modern works without it — so this redirect ends up on essentially every site.

How do I block specific bots?

The simplest approach matches against the User-Agent header — RewriteCond %{HTTP_USER_AGENT} ^.*BadBot.*$ [NC] paired with RewriteRule .* - [F,L] returns 403 Forbidden for anything matching the pattern. The NC flag makes the match case-insensitive, F sets the forbidden status, and L stops further rule processing. You can also block by IP with the older Deny from 192.168.1.1 syntax, or filter by Referer for traffic coming from spam sources. The trade-off is maintenance — bad bots rotate user agents and IPs, so a static blocklist degrades over time.

What about .htpasswd?

That's the companion file holding hashed credentials for HTTP Basic Authentication. The .htaccess block looks like AuthType Basic, AuthUserFile pointing at the absolute path of the .htpasswd file, and Require valid-user. Together they prompt the browser for credentials before serving anything in the protected directory. The mechanism is fine for simple staging environments and quick administrative areas, but Basic Auth sends credentials over the wire base64-encoded rather than encrypted, so it really only belongs behind HTTPS — and modern apps generally do their own session-based auth instead.

Will .htaccess slow down my site?

A little, yes. Apache re-reads the file on every request, walking up the directory tree to apply parent .htaccess files too, which adds a small amount of overhead per hit. The main Apache config (apache2.conf or httpd.conf) is read once at startup and cached, so it's faster in pure performance terms. For high-traffic sites that own their server, moving the rules into the main config and disabling AllowOverride is a real win. For shared hosting where you don't have main-config access, .htaccess is the only option you have, and the overhead is modest enough that it rarely matters in practice.

What if my .htaccess breaks the site?

The classic symptom is a 500 Internal Server Error covering the whole directory tree, sometimes the entire site. The recovery move is renaming the file to .htaccess.bak through whatever access you still have — FTP, SSH, the host's file manager — which immediately restores service while you figure out which line caused the problem. The discipline that prevents this in the first place is keeping a known-good backup before any edit and testing rules on a staging site before pushing to production. Apache's error log usually tells you exactly which line tripped it, so it's worth checking that first.

.htaccess Generator

Generate .htaccess rules online for Apache web servers. Free htaccess generator for redirects, caching, security, and URL rewriting.

Web & SEO Developer Tools

Instant results

SSL & Domain

Force HTTPS

WWW Preference

Performance

Enable Gzip CompressionEnable Browser Caching

Security

Hotlink Protection

Custom Error Pages

404 Page

500 Page

Redirects

Generated .htaccess

DirectoryIndex index.html index.php

About .htaccess Generator

Generate .htaccess configuration for Apache web servers. Configure SSL redirects, compression, caching, hotlink protection, and custom error pages.

How to Use .htaccess Generator

Choose rule type

Pick the pattern you're trying to implement. The common ones are HTTPS redirects, www-versus-non-www canonicalization, blocking access to specific files or directories, custom URL redirects for moved content, security headers like Content-Security-Policy and X-Frame-Options, and caching directives that set Expires and Cache-Control headers for static assets. Each pattern produces a different block of directives.

Configure parameters

Fill in the specifics — the source URL pattern, the target URL, whether you want a 301 (permanent, passes SEO authority) or 302 (temporary), and any file paths or IP addresses you want to block. The generator translates those parameters into the exact RewriteCond and RewriteRule syntax that Apache expects, including the right flags for each scenario.

Review generated rules

Read through the generated content before deploying. The output is regular .htaccess text, so you can sanity-check that the rules say what you intended. Adding a comment line above each rule that explains its purpose makes the file dramatically more maintainable when you or someone else comes back to it in eighteen months and tries to figure out why a particular redirect is in place.

Test before deploying

Save the existing .htaccess as .htaccess.bak first — that single rename gives you instant rollback if the new rules break something. Test on a staging copy of the site if you can, then deploy to production and watch for 500 Internal Server Error responses immediately afterward. If something does break, the rename trick restores the previous file in seconds while you debug.

When to Use .htaccess Generator

URL redirects

Domain migrations, switching to HTTPS, restructuring a site's URL scheme — all of these depend on getting redirect rules exactly right or watching your search rankings drop. Even a small typo in a RewriteRule can send every visitor to a 404. The generator produces well-formed .htaccess rules for the common patterns and saves you from constructing them from memory while three deadlines loom.

Security hardening

Apache offers a long list of directives for blocking bots, preventing hotlinking, restricting file access, and locking down CORS, but the syntax is unforgiving. The generator covers the standard hardening patterns — blacklist by user agent, deny direct access to sensitive directories, set security headers — without you having to remember every flag and condition format. Useful when standing up a new server or auditing an old one.

Performance optimization

A surprising amount of front-end performance comes from server config rather than code — gzip or brotli compression, long cache lifetimes for static assets, and proper Expires headers. The generator outputs the .htaccess block for these in one go, which usually moves Lighthouse scores noticeably and reduces bandwidth bills. Especially relevant on shared hosting where you can't edit the main Apache config.

URL beautification

Hiding .php or .html extensions and producing clean, hierarchical URLs is mostly a mod_rewrite exercise. The generator handles the common patterns — drop the extension, route /products/123 to /product.php?id=123, force a trailing slash convention — without forcing you to read the mod_rewrite docs end to end every time.

.htaccess Generator Examples

HTTPS redirect

Input

Force HTTPS

Output

RewriteEngine On\nRewriteCond %{HTTPS} off\nRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The canonical way to force HTTPS. Any HTTP request gets redirected to its HTTPS equivalent with a permanent 301 status, which preserves SEO authority and signals to crawlers that the move is intentional. Modern browsers and search engines both expect this — running HTTP-only is essentially never the right answer in 2026.

WWW canonicalization

Input

Force www subdomain

Output

RewriteEngine On\nRewriteCond %{HTTP_HOST} !^www\.\nRewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Force every visitor to the www subdomain (or reverse the rule for the no-www variant). Either choice is fine; what matters is that you pick one. Allowing both versions splits SEO authority across two URLs and confuses analytics, so the canonicalization step is part of any properly configured site.

Block bad bots

Input

Block specific user agents

Output

RewriteEngine On\nRewriteCond %{HTTP_USER_AGENT} ^.*(BadBot|EvilCrawler).*$ [NC]\nRewriteRule .* - [F,L]

Match against the User-Agent header and return 403 Forbidden for known bad actors. The NC flag makes the match case-insensitive, the F flag forbids the request, and L tells Apache to stop processing further rules. Maintaining the list is an ongoing chore, but it cuts down on aggressive scrapers and obvious security probes.

Tips & Best Practices for .htaccess Generator

1.Test changes in staging before production. A broken .htaccess can take down the entire site with a 500 error in seconds, and recovering means SSH access — which you may not have during business hours.
2.Keep a backup of the previous file. Saving the current .htaccess as .htaccess.bak before editing means you can revert in one rename if something breaks. Cheap insurance against an afternoon of scrambling.
3.Mind the order of rules. Apache processes top to bottom, and specific rules generally need to come before general ones. RewriteEngine On belongs at the top of the rewrite section, before any RewriteRule statements.
4.Use 301 for permanent moves, 302 only when you really mean temporary. A 302 doesn't pass SEO authority to the new URL, which is fine for 'we're showing maintenance for a few hours' but disastrous for 'we're restructuring this URL forever'.
5.Comment liberally. A line that says # Force HTTPS for security and SEO is much easier for the next admin to understand than a bare RewriteRule. Future-you will thank present-you when you come back to this file in eighteen months.
6.Prefer server-level config when you have access. Apache reads the main config once at startup but re-reads .htaccess on every request, so high-traffic sites pay a small per-request cost. .htaccess is most useful on shared hosting where you can't touch the main config.

Frequently Asked Questions

It's a per-directory configuration file that the Apache web server reads at runtime, applying its rules to the directory it sits in and everything below it. The directives cover URL rewriting and redirects, access control, caching headers, compression, and MIME type overrides. The mechanism lets you change server behavior without touching the main Apache config, which is most of the appeal — especially on shared hosting where you don't have access to the main config anyway. Worth knowing that this is Apache-only territory; Nginx uses an entirely different configuration model.

.htaccess Generator

SSL & Domain

Performance

Security

Custom Error Pages

Redirects

About .htaccess Generator

How to Use .htaccess Generator

Choose rule type

Configure parameters

Review generated rules

Test before deploying

When to Use .htaccess Generator

URL redirects

Security hardening

Performance optimization

URL beautification

.htaccess Generator Examples

HTTPS redirect

WWW canonicalization

Block bad bots

Tips & Best Practices for .htaccess Generator

Frequently Asked Questions

Related Tools

Robots.txt Generator

Sitemap Generator

User Agent Parser

URL Parser

HTML Viewer

CSP Header Generator