htaccess Cheatsheet

Here is a simple cheatsheet for the .htaccess file:

Enable Directory Browsing

Options +Indexes
## block a few types of files from showing
IndexIgnore *.wmv *.mp4 *.avi

Disable Directory Browsing

Options All -Indexes

Customize Error Messages

ErrorDocument 403 /forbidden.html
ErrorDocument 404 /notfound.html
ErrorDocument 500 /servererror.html

Get SSI working with HTML/SHTML

AddType text/html .html
AddType text/html .shtml
AddHandler server-parsed .html
AddHandler server-parsed .shtml
# AddHandler server-parsed .htm

Change Default Page (order is followed!)

DirectoryIndex myhome.htm index.htm index.php

Block Users from accessing the site

<limit GET POST PUT>
order deny,allow
deny from
deny from
deny from
allow from all

Allow only LAN users

order deny,allow
deny from all
allow from

Redirect Visitors to New Page/Directory

Redirect oldpage.html
Redirect /olddir

Block site from specific referrers

RewriteEngine on
RewriteCond %{HTTP_REFERER} site-to-block\.com [NC]
RewriteCond %{HTTP_REFERER} site-to-block-2\.com [NC]
RewriteRule .* - [F]

Block Hot Linking/Bandwidth hogging

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

Want to show a “Stealing is Bad” message too?

Add this below the Hot Link Blocking code:

RewriteRule \.(gif|jpg)$ [R,L]

Stop .htaccess (or any other file) from being viewed

<files file-name>
order allow,deny
deny from all

Avoid the 500 Error

# Avoid 500 error by passing charset
AddDefaultCharset utf-8

Grant CGI Access in a directory

Options +ExecCGI
AddHandler cgi-script cgi pl
# To enable all scripts in a directory use the following
# SetHandler cgi-script

Password Protecting Directories

Use the .htaccess Password Generator and follow the brief instructions!

Change Script Extensions

AddType application/x-httpd-php .gne

gne will now be treated as PHP files! Similarly, x-httpd-cgi for CGI files, etc.

Use MD5 Digests

Performance may take a hit but if thats not a problem, this is a nice option to turn on.

ContentDigest On

The CheckSpelling Directive

From Jens Meiert: CheckSpelling corrects simple spelling errors (for example, if someone forgets a letter or if any character is just wrong). Just add CheckSpelling On to your htaccess file.

The ContentDigest Directive

As the Apache core features documentation says: “This directive enables the generation of Content-MD5 headers as defined in RFC1864 respectively RFC2068. The Content-MD5 header provides an end-to-end message integrity check (MIC) of the entity-body. A proxy or client may check this header for detecting accidental modification of the entity-body in transit.

Note that this can cause performance problems on your server since the message digest is computed on every request (the values are not cached). Content-MD5 is only sent for documents served by the core, and not by any module. For example, SSI documents, output from CGI scripts, and byte range responses do not have this header.”

To turn this on, just add ContentDigest On.

Enable Gzip – Save Bandwidth

<ifmodule mod_deflate.c>
# Combine the below two lines - I've split it up for presentation
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css
  application/x-javascript application/javascript

Turn off magic_quotes_gpc

# Only if you use PHP
<ifmodule mod_php4.c>
php_flag magic_quotes_gpc off

Set an Expires header and enable Cache-Control

<ifmodule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 1 seconds"
  ExpiresByType text/html "access plus 7200 seconds"
  ExpiresByType image/gif "access plus 518400 seconds"
  ExpiresByType image/jpeg "access plus 518400 seconds"
  ExpiresByType image/png "access plus 518400 seconds"
  ExpiresByType text/css "access plus 518400 seconds"
  ExpiresByType text/javascript "access plus 216000 seconds"
  ExpiresByType application/x-javascript "access plus 216000 seconds"

<ifmodule mod_headers.c>
  # Cache specified files for 6 days
  <filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|swf)$">
  Header set Cache-Control "max-age=518400, public"
  # Cache HTML files for a couple hours
  <filesmatch "\.(html|htm)$">
  Header set Cache-Control "max-age=7200, private, must-revalidate"
  # Cache PDFs for a day
  <filesmatch "\.(pdf)$">
  Header set Cache-Control "max-age=86400, public"
  # Cache Javascripts for 2.5 days
  <filesmatch "\.(js)$">
  Header set Cache-Control "max-age=216000, private"

Digg This!

July 5th, 2005 at 1:45 pm

The section titled “Block Users from accessing the site” contains dangerous advice. It only limits the GET requests. A “blocked” user can just as well do a POST to some PHP script to get the output, since the request method doesn’t matter to PHP. You should use something like instead of , or just get rid of the container entirely.

September 17th, 2005 at 7:48 am

nice list, thanks for posting it.

September 19th, 2005 at 3:16 pm

Regarding Jan!‘s post about POST and GET, that would only be applicable in cases where register_globals was turned on, wouldn’t it? Nobody does that anymore… right?

September 21st, 2005 at 9:08 pm

Can anyone advise how I could password protect my root directory for a range of specified IPs only?

September 24th, 2005 at 4:17 pm

The code saying Redirect /olddir actually is a bit confusing. When /olddir really is a directory, it should say Redirect /olddir/ instead, to prevent redirecting users to

October 11th, 2005 at 10:09 pm

A good collection of HTACCESS comments, a page I will come back to often. Thanks

October 13th, 2005 at 11:11 pm

Lekker !

Strait to my bookmarks

November 18th, 2005 at 4:12 am

Excellent resource! Thanks for posting it. :)

My Site on the Web
March 30th, 2006 at 8:49 pm

Great list.
Just a couple of things about the Hot Link prevention code…

First… in the second condition, the line ends with ‘.*$’
The end of the line is redundant, because you are stipulating what domain the referring site has to begin with by using the carat (^), there is no need to tell it to look any further than the slash.
A slightly better solution would be
RewriteCond %{HTTP_REFERER} !^http://(www.)? [NC]

Secondly… the “Stealing is Bad” image won’t be displayed, because it is a .gif and the previous directive blocks .gifs from external sources.
Instead of adding the RewriteRule to the bottom of the hotlinking set, it should replace the other one or make the ‘dontsteal.gif’ a ‘dontsteal.png’ as .pngs are not being blocked.


theme by teslathemes