.htaccess Generator

Apache .htaccess rules for redirects and security

Generate Apache .htaccess rules for HTTPS redirects, www/non-www canonicalisation, GZIP compression, browser caching, security headers and custom error pages. Toggle the rules you need and copy production-ready config. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Where does the .htaccess file go?

Place it in the root directory of your website (the same folder as index.html or index.php). Rules apply to that directory and everything below it. The filename starts with a dot and has no extension.

Apache config without the guesswork

The .htaccess Generator builds the Apache directives most sites need — forcing HTTPS, choosing www or non-www, enabling compression and caching, and adding security headers. Hand-written .htaccess rules are unforgiving: one typo returns a 500 error for every visitor. Toggle the rules you want and copy a clean, IfModule-guarded config.

What you can generate

Rule categoryWhat it does
Force HTTPS301-redirects all HTTP traffic to the HTTPS version
www → non-www (or reverse)Canonicalises the host to your chosen form
GZIP compressionEnables mod_deflate for HTML, CSS, JS, fonts
Browser cachingSets Expires or Cache-Control via mod_expires
Security headersAdds X-Content-Type-Options, X-Frame-Options, Referrer-Policy
Custom error pagesMaps 404, 500 etc. to your own error templates

How it works

.htaccess is a per-directory configuration file Apache reads on each request. Redirects use the mod_rewrite engine, which matches conditions and rewrites or redirects the URL:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R=301]

RewriteCond checks a condition (here, that the request is not already HTTPS) and RewriteRule performs a permanent (R=301) redirect. Compression (mod_deflate), caching (mod_expires) and header rules (mod_headers) are wrapped in <IfModule> blocks so they are silently skipped when a module is absent — protecting you from accidental 500s.

Worked example: HTTPS + canonical non-www

Consider a site reachable at http://www.example.com, http://example.com, and https://www.example.com. You want every visitor to land on https://example.com. The safest approach is a single combined redirect that handles both the protocol upgrade and the host switch together, avoiding two chained hops:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]

The two RewriteCond lines are combined with [OR] so the rule fires whenever either condition is true — if the request is plain HTTP, or if the host starts with www.. One redirect, canonical URL, done.

Common pitfalls

  • Two separate redirects instead of one — chaining an HTTP→HTTPS redirect before a www→non-www redirect causes two round-trips, adds latency, and can confuse some clients.
  • Wrong AllowOverride setting — if your Apache vhost has AllowOverride None, the .htaccess file is silently ignored. Set AllowOverride All in the vhost or restrict it to AllowOverride FileInfo Options.
  • Missing mod_rewrite — on a fresh VPS, enable it with a2enmod rewrite and restart Apache. Shared hosts usually have it on by default.
  • Forgetting to test on staging — a syntax error takes the entire directory offline with a 500, so always test on a non-production environment first and keep a backup copy.

Tips

  • Pick one canonical host (either www or non-www) and redirect the other to avoid duplicate-content SEO issues.
  • Always back up your existing .htaccess before replacing it; a single bad line takes the whole directory down.
  • These rules are Apache-only. On Nginx, translate them into server block directives instead.
  • Performance note: .htaccess is parsed on every request. For high-traffic sites, move stable rules into the vhost config (httpd.conf or a site conf) and disable .htaccess lookups with AllowOverride None in directories that do not need it.