Useful .htaccess rules for all websites
Here are some of my favorite .htaccess rules that I add to most of my personal sites and client projects. These techniques have been collected and refined over the years, and can help improve the usability, performance, and security of any Apache-powered website.
Note that there are cases where you would not want to add these rules. For example, if you don’t want to enable
mod_rewrite, then you wouldn’t want to add the rule that enables it. These rules are all pretty basic and straightforward, but you should understand what each technique is doing before adding to your .htaccess file.
Enable essential core functionality
This first set of rules is what inspired this tutorial. They are added to all of my sites because they enable essential functionality:
# CORE Options -Indexes Options -MultiViews Options +FollowSymlinks AddDefaultCharset UTF-8 ServerSignature Off FileETag none
Here is what these rules are doing (in order or appearance):
- Disable all directory views (recommended for better security)
- Disable multi-views (recommended for canonical URIs)
- Enable symlinks (required for permalinks/rewrites, e.g.,
- Specify the default character set for any file served
text/html(recommended for usability)
- Disables the server signature (recommended for better security)
- Disables the ETag Header (recommended for performance)
Note that, depending on your setup, an additional rule may be required to completely disable the ETag Header. See the next section for more information.
Tip: you can combine any
Options directives on a single line, for example:
Options -Indexes -MultiViews +FollowSymLinks
Unset ETag Header
This snippet disables Apache’s ETag Header:
# ETAG <IfModule mod_headers.c> Header unset ETag </IfModule>
This technique can provide a small performance boost on certain configurations. For example, disabling ETag is reported to improve performance on clustered servers. And more generally reduces the overall size of both sent and received HTTP headers.
mod_rewrite is installed on your Apache server, you can make sure it is enabled using the following snippet:
# REWRITE <IfModule mod_rewrite.c> RewriteEngine On </IfModule>
That needs to be included at least once in order for
mod_rewrite to operate.
mod_speling is installed on your Apache server, you can make sure it is enabled using the following snippet:
# SPELLING <IfModule mod_speling.c> CheckSpelling On </IfModule>
mod_speling redirects misspelled requests to any nearest matching resources. Uses a bit of memory, but can be useful if you’ve been changing URIs or have lots of similarly named URIs. To disable
mod_speling, use this instead:
mod_expires is installed on your Apache server, you can make sure it is enabled using the following snippet:
# EXPIRES <IfModule mod_expires.c> ExpiresActive on ExpiresDefault A300 </IfModule>
That also sets a default expires value of 300 seconds, so go ahead and adjust that value to suit your needs. Once enabled,
mod_expires enables caching rules such as these:
ExpiresByType image/x-icon "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType directives, check out my post over at WP-Mix, Additional file-types for mod_expires.
Add mod_mime suport
mod_mime module is useful for a wide variety of techniques. Here is a snippet that sets proper MIME types for all files:
This technique does several things:
- Sets the default language (
- Specifies the correct language for common files (
UTF-8encoding for some common file formats (
- Adds MIME support for a wide variety of commonly used file types
The specific file types added here serve as an example of what’s possible. Basically you can add support for any required file type. And of course, if there is a type added here that you do not need, it is totally fine to remove it. In other words, customize the above code as needed.
Note: if you want to be more specific with the
DefaultLanguage, you can use
en-US, like so:
Set the default admin email address
There are various scenarios where the server outputs/displays the email address of the server administrator. For example, when there is a 500-level error, the footer of the output HTML page will include the admin’s email in order for users to contact support, etc. The default value for the admin email is taken from the server configuration, but you can customize it on most setups using the following snippet:
# ADMIN EMAIL SetEnv SERVER_ADMIN email@example.com
Note that it’s best to use a disposable email address for this purpose, as the information is presented in plain text, so spam bots eventually may discover it.
Set the default timezone
If for some reason the timezone set for your server is incorrect, you can modify it using the following snippet:
# TIMEZONE SetEnv TZ America/Los_Angeles
You can find lists of timezones online, such as this one and the one at Wikipedia.
Set the default directory index
When directory views are enabled, Apache will serve the default index file, which usually is either
index.php. If you want to use a different file, you can customize the default behavior using this snippet:
# DIRECTORY INDEX DirectoryIndex index.php index.html index.htm
Once in place, this snippet instructs Apache to use
index.php if it exists. If it does not exist, then
index.html will be used, and so on. You can specify any files in any order to display for directory views. Note that, if this rule is added to the site’s root .htaccess file, it will affect all .htaccess files in all subdirectories. So you can do that or just add directly to a specific directory to apply the rule locally.
Enable Directory Views
In the first section of this article, we see how to disable directory views, which generally is desired and good for security. But there are cases when directory views are desirable (for example, sharing music, images, and other bulk files). Here is the snippet to use to enable directory views:
# ENABLE DIRECTORY VIEWS Options +Indexes
That should only be added to the specific directory for which you want to allow open views; definitely NOT recommended to include in root .htaccess (unless you know what you are doing).
Ignore certain file types: for directories where views are enabled, you can “hide” specific file types using the following rules:
# IGNORE FILE TYPES IndexIgnore *.wmv *.mp4 *.avi *.etc
Note: if you are planning on enabling directory views on your site, check out my in-depth article on customizing directory views. It’s just packed with the juicy infos.
Disable PHP Globals
Nice little snippet to disable all PHP Global Variables:
# DISABLE GLOBALS php_flag register_globals off
Note: this doesn’t work on all configurations. In such cases you can try adding via the Apache configuration file. Ask your host for more information.
Set default rewrite base
If you are using a lot of rewrites, it may be helpful to set the default
# REWRITE BASE RewriteBase /
That is to say, if you find yourself including this line in all of your
mod_rewrite rules, you can save some space by just declaring it once before all other rewrite rules (e.g., near the top of your .htaccess file).
For more tips and tricks for improving the usability, performance, and security of your site, get my book .htaccess made easy. But don’t take my word for it, check out what readers are saying »