Developer Tools
Apache .htaccess Generator
Build a production-ready Apache .htaccess. Force HTTPS, 301 redirects, security headers, HSTS, gzip, Brotli, cache, basic auth, dotfile and IP blocks.
Build a .htaccess
Apache shared host or vhost
Canonical host
Force HTTPS and pick www or apex
Leave both www. and the apex domain serving as-is.
Custom redirects
301, 302, 307, or 308 to any path
Each rule becomes a mod_rewrite RewriteRule line in the output.
No custom redirects yet. Click Add redirect to insert one.
Security headers
Sensible defaults via mod_headers
Start with a few minutes during testing. Use 365 days or more for production.
Optional. Browsers will report violations but not block them. Use our CSP Header Generator to build a full policy.
Compression and caching
gzip, Brotli, and browser cache lifetimes
Access controls
Directory listing, dotfiles, basic auth, hotlinks
Block by IP or user agent
Deny abusive crawlers and bad actors
Uses Apache 2.4 Require not ip syntax. Lines that are not valid IPs or CIDR ranges are flagged in the review panel.
Custom error pages
ErrorDocument for the common HTTP errors
Path is relative to the document root. Apache serves the file when a matching error occurs.
Misc
Tweaks
Output
Generated .htaccess
Save as .htaccess in your document root, then run apachectl configtest and reload.
# .htaccess
# Generated by Zero Signup Tools Apache .htaccess Generator
# Place this file in the document root.
# Run `apachectl configtest` and reload Apache after changes.
# ---------------------------------------------------------------------------
# Options
# ---------------------------------------------------------------------------
Options +FollowSymLinks
Options -Indexes
ServerSignature Off
AddDefaultCharset UTF-8
# ---------------------------------------------------------------------------
# URL rewrites and redirects (mod_rewrite)
# ---------------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
# Always allow ACME challenges (Let's Encrypt, ZeroSSL) to pass.
RewriteRule ^\.well-known/acme-challenge/ - [L]
# Force HTTPS on every request.
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
# ---------------------------------------------------------------------------
# Security headers (mod_headers)
# ---------------------------------------------------------------------------
<IfModule mod_headers.c>
# Block MIME sniffing. Browsers must respect the Content-Type sent.
Header always set X-Content-Type-Options "nosniff"
# Prevent the site from being framed except by the same origin.
Header always set X-Frame-Options "SAMEORIGIN"
# Tighten the Referer policy.
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Disable powerful browser features by default.
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=()"
# Cross-origin isolation.
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-site"
# Strict-Transport-Security pins the site to HTTPS for 365 days.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Remove Apache's stock Server detail header.
Header unset X-Powered-By
</IfModule>
# ---------------------------------------------------------------------------
# Compression
# ---------------------------------------------------------------------------
<IfModule mod_deflate.c>
# gzip the text MIME types.
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/ld+json
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/otf
</IfModule>
<IfModule mod_brotli.c>
# Brotli for browsers that prefer it (most modern browsers).
AddOutputFilterByType BROTLI_COMPRESS text/html
AddOutputFilterByType BROTLI_COMPRESS text/plain
AddOutputFilterByType BROTLI_COMPRESS text/css
AddOutputFilterByType BROTLI_COMPRESS text/javascript
AddOutputFilterByType BROTLI_COMPRESS application/javascript
AddOutputFilterByType BROTLI_COMPRESS application/json
AddOutputFilterByType BROTLI_COMPRESS application/xml
AddOutputFilterByType BROTLI_COMPRESS image/svg+xml
</IfModule>
# ---------------------------------------------------------------------------
# Browser caching (mod_expires)
# ---------------------------------------------------------------------------
<IfModule mod_expires.c>
ExpiresActive On
# HTML: short cache so deploys take effect quickly.
ExpiresByType text/html "access plus 60 minutes"
# CSS and JS: medium cache. Pair with hashed filenames for safe long cache.
ExpiresByType text/css "access plus 30 days"
ExpiresByType application/javascript "access plus 30 days"
ExpiresByType text/javascript "access plus 30 days"
# Images: long cache. Replace via filename hash on update.
ExpiresByType image/png "access plus 12 months"
ExpiresByType image/jpg "access plus 12 months"
ExpiresByType image/jpeg "access plus 12 months"
ExpiresByType image/gif "access plus 12 months"
ExpiresByType image/webp "access plus 12 months"
ExpiresByType image/avif "access plus 12 months"
ExpiresByType image/svg+xml "access plus 12 months"
ExpiresByType image/x-icon "access plus 12 months"
# Fonts: long cache.
ExpiresByType font/woff "access plus 12 months"
ExpiresByType font/woff2 "access plus 12 months"
ExpiresByType font/ttf "access plus 12 months"
ExpiresByType font/otf "access plus 12 months"
ExpiresByType application/font-woff "access plus 12 months"
ExpiresByType application/font-woff2 "access plus 12 months"
# Manifests and feeds.
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/atom+xml "access plus 1 hour"
</IfModule>
<IfModule mod_headers.c>
# Tell intermediaries the cache is fresh. Append immutable for hashed assets.
<FilesMatch "\.(?:css|js|svg|woff2?|ttf|otf|eot|png|jpe?g|gif|webp|avif|ico)$">
Header set Cache-Control "public, max-age=2592000"
</FilesMatch>
</IfModule>
# ---------------------------------------------------------------------------
# Block dotfiles (.git, .env, .htpasswd, .DS_Store)
# ---------------------------------------------------------------------------
<FilesMatch "^\.(?!well-known)">
Require all denied
</FilesMatch>
# ---------------------------------------------------------------------------
# Block leaked backup, swap, and editor files
# ---------------------------------------------------------------------------
<FilesMatch "\.(bak|backup|swp|swo|old|orig|save|tmp|temp|log|sql|sqlite|db)$">
Require all denied
</FilesMatch>
# ---------------------------------------------------------------------------
# Custom error pages
# ---------------------------------------------------------------------------
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
Review
Looks good
Standard hardening, modern caching, force HTTPS, and dotfile denial are all in place. Ready to commit.
Reload Apache
Quick commands
sudo apachectl configtest
sudo systemctl reload apache2
sudo systemctl reload httpd
curl -I https://example.com/
Why these defaults
A short tour of the choices baked in
Force HTTPS the safe way
The HTTPS redirect keeps /.well-known/acme-challenge open so Let's Encrypt renewals never break. The X-Forwarded-Proto check also covers load balancers that terminate TLS upstream.
Each module guarded by IfModule
mod_rewrite, mod_headers, mod_deflate, mod_brotli, and mod_expires are wrapped in IfModule so the file degrades gracefully on shared hosts that disable a module.
Dotfile denial without breaking ACME
FilesMatch denies /.git, /.env, /.htpasswd, and /.DS_Store but leaves /.well-known alone so SSL certificate renewals over HTTP-01 still complete.
HSTS conservative until you confirm HTTPS works
HSTS is opt-in and requires Force HTTPS. preload is opt-in because once preloaded, removal can take weeks. Test with a short max-age first.
Cache headers per MIME type
HTML caches briefly so deploys propagate fast. CSS, JS, fonts, and images cache for weeks or months. Pair with content-hashed filenames for safe long cache.
Apache 2.4 access control syntax
IP and FilesMatch blocks use Require directives, not the legacy Order / Allow / Deny. This works on every modern Apache and matches what most distros ship today.
How to use
- Pick a canonical host: force HTTPS for every request and decide between forcing the apex domain, forcing www, or leaving both. Keep Preserve /.well-known/acme-challenge on so SSL renewals continue to work.
- Add custom redirects with Add redirect. Choose 301 for permanent SEO moves, 302 or 307 for temporary, or 308 to preserve the request method, and pick Exact, Prefix, or Regex matching.
- Toggle security headers and HSTS. Set the HSTS max-age, then opt in to includeSubDomains and preload only when you have verified HTTPS works on every subdomain.
- Turn on gzip (mod_deflate) and Brotli (mod_brotli) for compression. Adjust mod_expires cache lifetimes per MIME type: short for HTML, long for fonts and images.
- Configure access controls: disable directory listing, deny dotfiles and backup files, set hotlink protection with allowed referrer hosts, and enable HTTP Basic auth with an absolute AuthUserFile path.
- List blocked IP addresses and CIDR ranges, one per line, and optionally block User-Agent patterns. Enable ErrorDocument entries for the status codes you serve custom pages for.
- Read the review panel. Fix any errors and warnings, then click Copy to grab the .htaccess. Save it to your document root, run apachectl configtest, and reload Apache.
About this tool
Apache .htaccess Generator builds a complete, production-ready .htaccess file from a small set of choices: force HTTPS, www or apex canonical hostname, custom 301, 302, 307, or 308 redirects, security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy), HSTS with configurable max-age plus includeSubDomains and preload flags, gzip via mod_deflate, Brotli via mod_brotli, per-MIME-type browser cache lifetimes via mod_expires, hotlink protection by Referer, HTTP Basic authentication paired with an .htpasswd file, IP and CIDR range deny lists using Apache 2.4 Require not ip syntax, abusive User-Agent blocking via mod_rewrite, custom ErrorDocument pages for 400, 401, 403, 404, and 500, directory-listing prevention, denial of dotfiles (.git, .env, .htpasswd, .DS_Store) and leaked backup files (.bak, .swp, .old, .sql), and a hidden ServerSignature. Each module section is wrapped in IfModule so the file degrades gracefully on shared hosts that disable mod_rewrite, mod_headers, mod_deflate, mod_brotli, or mod_expires. The HTTPS redirect explicitly preserves /.well-known/acme-challenge so Let's Encrypt and ZeroSSL renewals never break, and checks X-Forwarded-Proto so the file still works behind an upstream load balancer. The review panel flags common mistakes before you ship: HSTS enabled without Force HTTPS, AuthUserFile that is not an absolute path, hotlink protection with an empty allow-list, redirect loops where source equals destination, source paths missing a leading slash, IP entries that are not valid IPv4, IPv6, or CIDR notation, preload flags with a max-age below the public hstspreload.org requirements, and overly aggressive cache lifetimes for HTML. Generation runs entirely in your browser as deterministic string templating, with zero dependencies and zero network calls. The hostname, redirect rules, blocked IPs, and any other configuration you enter never leave your device. Use the output for WordPress, Laravel, Drupal, Joomla, Magento, plain HTML sites, or any document root served by Apache 2.4 on shared hosting (cPanel, Plesk, DirectAdmin) or a VPS. After saving, run apachectl configtest to validate, then systemctl reload apache2 (or httpd) to apply without dropping live connections.
Free to use. Works in your browser. No signup, no login.
Related tools
You may also like
Nginx Config Generator
Build a production nginx server block with modern TLS, HTTP/2, HSTS, gzip, and proxy headers.
Open tool
Securityhtpasswd Generator
Create htpasswd entries for Apache and Nginx basic auth, APR1-MD5 or SHA-1.
Open tool
SEORedirect Rule Generator
Build 301 and 302 redirect snippets for Apache, Nginx, Caddy, Netlify, Vercel, Cloudflare, IIS, and HTML.
Open tool
DeveloperHSTS Header Generator
Build, parse, and explain Strict-Transport-Security headers with preload list checks.
Open tool
DeveloperCSP Header Generator
Visual builder for the Content-Security-Policy HTTP header.
Open tool
DeveloperCache-Control Header Builder
Build and parse Cache-Control headers with directive flags, max-age presets, conflict checks, and ready-to-paste server snippets.
Open tool