Does .htaccess affect server performance?

Yes, there is a performance cost. Apache reads and parses .htaccess files on every request for every directory in the path to the requested file. On high-traffic sites, this can add up. For maximum performance, Apache recommends putting directives in the main server configuration or virtual host files instead. However, on shared hosting where you do not have access to the main config, .htaccess is the only option. For most sites with moderate traffic, the performance impact is negligible.

.htaccess Generator - Free Online Tool

Q: What is a .htaccess file?

A .htaccess (hypertext access) file is a configuration file used by Apache web servers to apply settings on a per-directory basis. It allows you to override server configuration without editing the main Apache config files, which typically require root access. Common uses include URL redirects, access control, custom error pages, MIME type definitions, and enabling compression. The file is read by Apache on every request to a directory containing it, and the rules apply to that directory and all subdirectories.

Q: Where do I put the .htaccess file?

Place the .htaccess file in the root directory of your website, typically the public_html or www folder. The rules apply to that directory and all subdirectories. You can also place .htaccess files in subdirectories for rules specific to those paths. The file name must be exactly .htaccess with the leading dot, which makes it a hidden file on Unix-like systems. Make sure the file has 644 permissions (readable by the server) and uses Unix-style line endings.

Q: Can .htaccess force HTTPS?

Yes. Using mod_rewrite, you can redirect all HTTP traffic to HTTPS. The rule checks if the HTTPS variable is off and, if so, issues a 301 permanent redirect to the same URL with https:// as the scheme. This ensures all visitors use the encrypted connection. The redirect should be one of the first rules in your .htaccess file so it applies before any other URL rewriting occurs.

Q: What are security headers in .htaccess?

Security headers are HTTP response headers that instruct browsers to enable protective features. In .htaccess, you set them using the Header directive from mod_headers. Key security headers include X-Content-Type-Options (prevents MIME sniffing), X-Frame-Options (prevents clickjacking), X-XSS-Protection (enables XSS filtering), Referrer-Policy (controls referrer information leakage), and Content-Security-Policy (controls allowed content sources). Adding these headers significantly improves your site's security posture.

Generate .htaccess rules for Apache servers. Select the features you need and copy the generated configuration to your server.

What Is a .htaccess File?

The .htaccess file is a powerful configuration file used by Apache web servers to control server behavior on a per-directory basis. The name stands for "hypertext access" and the file has been a cornerstone of Apache server administration since the early days of the web. Unlike the main Apache configuration files (httpd.conf or apache2.conf), which require server restart to take effect, .htaccess changes are applied immediately on the next request. This makes .htaccess especially valuable on shared hosting environments where users do not have access to the main server configuration.

When Apache receives a request, it checks for .htaccess files in every directory from the document root down to the directory containing the requested file. The directives from all matching .htaccess files are merged, with directives in more specific directories overriding those in parent directories. This cascading behavior allows you to set site-wide defaults in the root .htaccess and override them in specific subdirectories as needed.

Common .htaccess Use Cases

HTTPS and WWW Redirects

Forcing HTTPS ensures that all traffic to your site is encrypted. The redirect rule uses Apache's mod_rewrite module to check if the current connection is not using HTTPS and, if so, redirects to the HTTPS version with a 301 permanent redirect. Similarly, you can standardize your domain by redirecting www to non-www or vice versa. These redirects are important for SEO because search engines treat www and non-www URLs as separate sites, and having both active can split your link equity and cause duplicate content issues.

Gzip Compression and Browser Caching

Enabling gzip compression via mod_deflate can reduce the size of text-based responses by 60 to 80 percent. The .htaccess rules specify which MIME types to compress, typically including HTML, CSS, JavaScript, JSON, XML, and SVG. Browser caching uses mod_expires or mod_headers to set Cache-Control and Expires headers for static assets like images, stylesheets, and JavaScript files. By telling browsers to cache these resources for days or weeks, you eliminate redundant downloads and dramatically improve page load times for returning visitors.

Security Headers and Access Control

Security headers protect your site against common web attacks. X-Content-Type-Options prevents MIME type sniffing. X-Frame-Options prevents clickjacking by controlling whether your page can be embedded in iframes. X-XSS-Protection enables the browser's built-in XSS filter. Referrer-Policy controls how much URL information is shared when users navigate away from your site. Disabling directory listing prevents visitors from browsing your file structure when no index file is present. Protecting sensitive files like .htaccess itself, .env, and configuration files prevents accidental exposure of server internals.

Hotlink Protection

Hotlink protection prevents other websites from embedding your images, videos, and other media files directly, which consumes your bandwidth without providing any benefit. The mod_rewrite rules check the HTTP Referer header and block requests that originate from domains other than your own. Legitimate requests from your own domain and search engine crawlers are allowed through, while requests from other domains are either blocked with a 403 Forbidden response or redirected to a placeholder image.

Frequently Asked Questions

What is a .htaccess file?

A configuration file for Apache web servers that applies settings on a per-directory basis. It controls redirects, access, caching, compression, security headers, and custom error pages without requiring access to the main server configuration.

Where do I put the .htaccess file?

Place it in your website's root directory (usually public_html or www). Rules apply to that directory and all subdirectories. The file must have 644 permissions and Unix-style line endings.

Does .htaccess affect performance?

Apache reads .htaccess files on every request, which adds overhead. On high-traffic sites, placing directives in the main config is better. For most sites on shared hosting, the impact is negligible.

Can .htaccess force HTTPS?

Yes. Using mod_rewrite, you redirect all HTTP traffic to HTTPS with a 301 permanent redirect. This should be one of the first rules in your .htaccess file.

What are security headers in .htaccess?

HTTP response headers set via mod_headers that instruct browsers to enable security features. They prevent MIME sniffing, clickjacking, XSS, and referrer leakage.

.htaccess Generator

Redirects

Performance

Security

Misc

Generated .htaccess

Embed This Calculator