ZenovayTools

.htaccess Generator

Generate Apache .htaccess rules for common configurations: force HTTPS, non-www redirect, block IPs, enable gzip compression, set cache headers, configure CORS, add security headers, and password protect directories.

Select rules

.htaccess output

# Generated by Zenovay .htaccess Generator
# Place this in your web root directory

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Enable Gzip Compression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml
  AddOutputFilterByType DEFLATE application/javascript application/x-javascript
  AddOutputFilterByType DEFLATE application/json application/xml
  AddOutputFilterByType DEFLATE image/svg+xml application/font-woff2
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>

# Security Headers
<IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
  Header always set X-XSS-Protection "1; mode=block"
</IfModule>

How to Use .htaccess Generator

  1. 1Select the rules you need from the checklist.
  2. 2Fill in any required values (domain name, IP addresses, etc.).
  3. 3The .htaccess code is generated instantly with proper Apache syntax.
  4. 4Copy and paste into your .htaccess file in the web root directory.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

JSON Formatter & ValidatorFormat, validate, and beautify JSON data with syntax highlighting and error detection.
JWT DecoderDecode and inspect JWT tokens. View header, payload, and verify signatures.
Base64 Encode/DecodeEncode text to Base64 or decode Base64 back to text. Supports UTF-8 and binary data.
URL Encode/DecodeEncode or decode URL components. Handle special characters, query strings, and full URLs.

Frequently Asked Questions

What is .htaccess and where do I put it?
The .htaccess file is a directory-level configuration file for Apache web server. It allows you to set server configuration directives for a specific directory and its subdirectories without needing to modify the main Apache configuration. Place it in your web root (public_html/ or www/ directory) for site-wide rules, or in a subdirectory to apply rules only to that directory. Note: .htaccess requires AllowOverride to be enabled in your Apache configuration. If your host doesn't support .htaccess, rules must go in httpd.conf or a VirtualHost block.
How do I force HTTPS with .htaccess?
The standard approach using mod_rewrite: RewriteEngine On / RewriteCond %{HTTPS} off / RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]. This checks if HTTPS is not already active and redirects permanently (301). On servers behind a load balancer or CDN, you may need: RewriteCond %{HTTP:X-Forwarded-Proto} !https — to check the original protocol. Always test with R=302 (temporary) first before committing to R=301 (permanent, cached by browsers).
How do I enable gzip compression?
Using mod_deflate (most common): <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml </IfModule>. This compresses HTML, CSS, JS, JSON, and SVG responses. Gzip typically reduces text file sizes by 60-80%. Avoid compressing already-compressed formats: JPEG, PNG, WebP, WOFF2 — these are already binary compressed and gain nothing from gzip. Check if compression is working with browser DevTools Network tab — look for "Content-Encoding: gzip" in response headers.
How do browser cache headers work in .htaccess?
Cache-Control and Expires headers tell browsers how long to cache files. Two key directives: mod_expires (Expires header) and mod_headers (Cache-Control header). Common settings: images = 1 year, CSS/JS with hash in filename = 1 year, CSS/JS without hash = 1 week, HTML = no-cache or 5 minutes. For cache-busting, use versioned filenames (style.v2.css) or content hashes (style.abc123.css) rather than short cache times. The max-age value is in seconds: 31536000 = 1 year, 604800 = 1 week, 86400 = 1 day.
How do I password protect a directory with .htaccess?
Two files are required: (1) .htaccess with AuthType Basic / AuthName "Protected Area" / AuthUserFile /path/to/.htpasswd / Require valid-user. (2) .htpasswd file with usernames and hashed passwords. Create .htpasswd with: htpasswd -c /path/to/.htpasswd username. Alternatively, generate password hashes with an online MD5 htpasswd generator. Important: specify the absolute server path to .htpasswd (not the web URL), typically /home/user/domain/.htpasswd. Never store .htpasswd inside the web root — keep it above the document root.