.htaccess Generator
Generate Apache .htaccess rules for redirects and security.
# Generated by ToolHQ .htaccess Generator
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# Enable Gzip compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/css application/javascript
</IfModule>
# Browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>How to use .htaccess Generator
Select Your .htaccess Rule Type
Click the 'Rule Type' dropdown menu at the top of the interface and choose from Redirects, Security Headers, URL Rewriting, or Cache Control. Each option displays specific configuration options below.
Configure Your Rule Parameters
Enter your settings in the input fields. For redirects, paste your source URL in the 'From URL' field and destination in the 'To URL' field. For security, toggle options like 'Block Access', 'Force HTTPS', or 'Disable Directory Listing' using the checkbox controls.
Customize Advanced Options
Click 'Advanced Settings' to add response codes (301, 302, 307), specify redirect conditions, or set expiration headers. Use the checkboxes to enable RewriteCond rules for conditional redirects.
Generate Your .htaccess Code
Press the blue 'Generate .htaccess' button. Your Apache configuration code appears in the code editor panel on the right side of the screen.
Copy and Deploy Your Code
Click the 'Copy Code' button to copy all generated rules to your clipboard. Paste the code into your .htaccess file in your website's root directory using FTP or your hosting control panel's file manager.
Related Tools
.htaccess generator online: create Apache config rules without coding
.htaccess generator online: create Apache config rules without coding
Generate 301 redirects, HTTPS enforcement, browser caching, hotlink protection, and security headers with ToolHQ's.htaccess generator, generated entirely in your browser, no server data sent anywhere.
An.htaccess file is a directory-level configuration file for the Apache web server. It sits in your website's root directory (or any subdirectory) and gives Apache instructions on how to handle requests: redirect one URL to another, force HTTPS, block access from specific IPs, set browser caching headers, or protect a directory with a password.
The power of.htaccess is that it lets you change server behavior without touching the main server configuration, which typically requires root access and a server restart. A well-configured.htaccess file improves security, performance, and URL structure without any code changes to your application.
Key takeaways
- .htaccess is an Apache-only feature; it does not work on Nginx or IIS
- The file goes in your website root directory and has no file extension (the name IS.htaccess)
- Common use cases: force HTTPS, 301 redirects, browser caching, block hotlinking, password-protect directories
- Generated entirely in your browser, no server data is sent anywhere
- Free with no account required
What.htaccess does and where it lives
The.htaccess file (pronounced "H-T access") is a per-directory configuration file for Apache HTTP Server. It has been part of Apache since version 1.1. When Apache serves a request, it checks every directory in the path for an.htaccess file and applies any directives it finds.
Key facts:
- The filename is literally
.htaccess, a dot followed by "htaccess" with no extension. On most operating systems, files starting with a dot are hidden by default. - It lives in your website root (typically
public_html,www, orhtdocs), though you can place one in any subdirectory for rules that only apply there. - Each rule applies to the directory it is in and all subdirectories, unless overridden.
- .htaccess files are powerful but slow Apache down slightly because Apache reads them on every request. For high-traffic sites, consider asking your host to allow the equivalent rules in the main server config instead.
Important: .htaccess only works on Apache. If your site runs on Nginx, LiteSpeed (without Apache compatibility mode), or IIS, .htaccess files have no effect. Ask your host which server software you are using if you are unsure.
Common.htaccess rules and what they do
| Rule type | What it does | Example directive |
|---|---|---|
| Force HTTPS | Redirect all HTTP requests to HTTPS | RewriteEngine On + redirect rule |
| 301 redirect | Permanently redirect one URL to another | Redirect 301 /old-page /new-page |
| Block IP addresses | Deny access from specific IPs | Deny from 192.168.1.1 |
| Password protection | Require login for a directory | AuthType Basic + AuthUserFile |
| Browser caching | Set cache expiry for file types | ExpiresByType image/jpeg "access plus 1 year" |
| Block hotlinking | Prevent other sites from embedding your images | RewriteCond %{HTTP_REFERER} |
| Custom error pages | Show branded pages for 404, 500, etc. | ErrorDocument 404 /not-found.html |
| GZIP compression | Compress responses to reduce bandwidth | AddOutputFilterByType DEFLATE text/html |
The Apache HTTP Server documentation covers every available directive in detail. For the complete list of what.htaccess can and cannot do, the official docs are the authoritative source.
How to use ToolHQ's.htaccess generator
Open the tool. Go to https://www.toolhq.app/tools/htaccess-generator.
Select the rules you need. Check the boxes or fill in the forms for each rule type, HTTPS redirect, 301 redirects, password protection, caching, security headers.
Fill in the details. For redirect rules, enter the source and destination URLs. For caching, select the file types and expiry periods. For IP blocking, enter the IP addresses to deny.
Generate. The browser assembles the rules into a complete.htaccess file with properly formatted directives.
Copy and upload. Copy the output, paste it into a text editor (or save directly), then upload it as
.htaccessto the appropriate directory on your server using FTP/SFTP.
The generator runs entirely in your browser, no server configuration data is sent anywhere.
The five rules that matter most for most websites
Most websites need only a handful of.htaccess rules. These five handle the highest-impact scenarios.
1. Force HTTPS: Every site should redirect HTTP to HTTPS. This protects users and signals security to search engines. The redirect uses mod_rewrite to catch any HTTP request and redirect it to the HTTPS equivalent.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
2. Remove the www (or force the www): Pick one canonical domain, either www.example.com or example.com, and redirect the other to it. Mixing both harms SEO by splitting link equity between two URLs.
3. Set browser caching headers: Tell browsers to cache images, CSS, and JavaScript files locally. A year-long cache for images and six months for CSS/JS reduces load times for returning visitors significantly.
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType text/css "access plus 6 months"
ExpiresByType application/javascript "access plus 6 months"
4. Prevent directory listing: If a directory has no index file, Apache shows a file listing by default. That exposes your file structure to anyone who knows the URL. One line prevents it:
Options -Indexes
5. Block hotlinking: If other websites embed your images directly, they consume your bandwidth without visiting your site. A RewriteCond on the HTTP referer blocks external requests for your image files.
Santiago, a small business owner who managed his own WordPress site, noticed his hosting bill was unusually high. His web host's control panel showed image bandwidth spiking, someone was hotlinking his product photos from a forum. He used ToolHQ's.htaccess generator to add a hotlink protection rule in two minutes, uploaded the file via FTP, and his bandwidth dropped by 60% the following month. He also added the HTTPS redirect and directory listing prevention rules while he had the file open.
Generate your.htaccess file now, free at ToolHQ
Security headers you can add via.htaccess
Beyond the basic rules, .htaccess can add HTTP response headers that harden your site against common web attacks.
X-Frame-Options: Prevents your page from being embedded in an iframe on another site (clickjacking protection).
Header always set X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options: Stops browsers from MIME-sniffing a response away from the declared content type.
Header always set X-Content-Type-Options "nosniff"
Referrer-Policy: Controls how much referrer information browsers send when users follow links from your site.
Header always set Referrer-Policy "strict-origin-when-cross-origin"
These headers have no effect on your site's visible behavior but significantly reduce your attack surface.
For related server setup, the robots.txt generator creates the crawl rules file that works alongside.htaccess, and the SSL checker verifies your HTTPS certificate is valid before adding the force-HTTPS redirect. The redirect checker confirms your 301 redirects are working correctly after you upload the file.
Mia, a freelance web developer, was doing a technical SEO audit for a new client. The client's WordPress site had no HTTPS redirect, no caching headers, and was leaking directory listings on the uploads folder. She opened ToolHQ's.htaccess generator, configured the HTTPS redirect, set caching for images and CSS, disabled directory indexing, and added three security headers in one session. She downloaded the generated file, uploaded it to the server, then ran the redirect checker to confirm the 301 chain was clean. The audit went from failing to passing in under 20 minutes.
Frequently asked questions
Does.htaccess work with Nginx?
No. .htaccess is an Apache-only feature. Nginx does not read.htaccess files. If your server runs Nginx, equivalent rules need to go in your Nginx server block configuration, which requires server-level access. Some hosts run LiteSpeed with Apache compatibility that does read.htaccess files, check with your host.
Where exactly do I upload the.htaccess file?
For sitewide rules, upload to your website root, the directory that contains your index.php or index.html file. On most shared hosts, this is public_html or www. For subdirectory-specific rules, place the file in that subdirectory.
Can I have multiple.htaccess files?
Yes. Apache reads the.htaccess file in each directory along the request path. You can have a sitewide one in the root and specific ones in subdirectories. Directives in subdirectory files override root-level ones for requests to that subdirectory.
Will.htaccess slow my site down?
Slightly, because Apache reads it on every request. For most shared hosting environments, the impact is negligible. For high-traffic sites on dedicated servers, the equivalent rules in the main httpd.conf file are slightly faster.
Do I need to restart Apache after changing.htaccess?
No. Apache reads.htaccess files dynamically on each request. Changes take effect immediately without any server restart.
The short version
The.htaccess file is the simplest way to configure Apache server behavior at the directory level, HTTPS redirects, 301 URL redirects, browser caching, hotlink blocking, directory protection, and security headers. It applies immediately without touching the main server configuration.
ToolHQ's.htaccess generator builds the file from point-and-click options, generates it entirely in your browser, and outputs code with clear comments explaining each directive.
After generating your file, verify the rules are working with the redirect checker and SSL checker. For permission-level server file protection, the chmod calculator handles file permission values.
Generate your.htaccess file free, no upload, no account