Build Apache .htaccess rules without memorizing mod_rewrite
The .htaccess file is a per-directory configuration file that Apache reads on
every request, letting you change server behaviour without touching the main
config. This builder generates the most common production rules — forcing HTTPS,
canonicalizing the www prefix, custom error pages, trailing-slash handling,
directory-listing control, and a baseline set of security headers — and outputs
a single copy-ready block.
What this builder covers
| Rule | What it does |
|---|---|
| Force HTTPS | 301-redirect all HTTP traffic to https:// |
| www → non-www | Canonical redirect to example.com (or the reverse) |
| Trailing slash | Add or remove a trailing slash consistently |
| Directory listing | Block or allow Options -Indexes |
| Custom error pages | Map 403, 404, 500 to your own templates |
| Security headers | X-Frame-Options, X-Content-Type-Options, Referrer-Policy |
How it works
Most redirect and rewrite logic uses the mod_rewrite engine. A typical HTTPS
redirect inspects the %{HTTPS} server variable and issues a 301 redirect to the
https:// version of the requested URL:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The RewriteCond is a guard — the following RewriteRule only fires when the
condition matches. The R=301 flag makes it a permanent redirect (good for SEO),
and L stops processing further rules. Canonical www/non-www redirects use a
%{HTTP_HOST} condition to match the unwanted host and rewrite to your chosen
canonical domain. Error pages use the simpler ErrorDocument directive, and
security headers use mod_headers with Header set directives wrapped in an
IfModule guard so the file is safe even if the module is absent.
Reading the flags
Apache RewriteRule flags are comma-separated in square brackets at the end:
| Flag | Meaning |
|---|---|
R=301 | Permanent redirect (browser and search engine should update) |
R=302 | Temporary redirect |
L | Last rule — stop processing further RewriteRules |
NC | No case — match case-insensitively |
QSA | Query string append — preserve existing query string |
NE | No escape — do not percent-encode special characters in the substitution |
The L flag is critical: without it, Apache continues through the rule list even after a redirect matches. Always include it on redirect rules to prevent unexpected double-processing.
Correct rule ordering
Rules are processed top to bottom. Use this order to avoid conflicts:
- HTTPS redirect — convert HTTP to HTTPS first.
- www/non-www redirect — canonicalise the host on the HTTPS version.
- Trailing-slash rules — handle URL form after the canonical host is set.
- Application front-controller (e.g.
index.php) — route all unmatched requests to your framework. - ErrorDocument directives — these apply globally regardless of position.
- Header set directives — processed on every response; position in the file does not affect them.
Tips
- Put redirect and canonicalization rules near the top, before any app rewrites, so visitors land on the canonical URL before deeper routing runs.
- A
500 Internal Server Erroron the whole directory almost always means an.htaccesssyntax error — comment out blocks one by one to bisect the problem. - Wrap optional modules in
<IfModule mod_headers.c>so a missing module degrades gracefully instead of throwing a 500. .htaccessis read on every request and is slower than equivalent directives in the main config; on a server you control, prefer the vhost where possible.- Always back up the existing
.htaccessbefore replacing it; a syntax error takes the entire directory offline immediately.