15 Useful htaccess Tips & Tricks

15 Useful htaccess Tips & Tricks

by

Some dev don’t know about the power of htaccess. Apache server has great feature to manipulate information using htaccess.

.htaccess is a configuration file used on web server to alter the configuration of Apache web server.

Using .htaccess we can easily override server configuration settings.

.htaccess file is used to control user access on per directory basis. We can do number of things using .htaccess file.

In this article, we will see 15 useful htaccess tips and tricks which can be used to protect server from malicious attack or secure project.

1. Disable Directory Browsing

Options -Indexes

This snippet disable directory listing so, we must use in each directory to secure it.

2. Block cross-site scripting (XSS)

# Blocks some XSS attacks

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>

OR 

<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
	RewriteRule .* index.php [F,L]
</IfModule>

3. Access Only By IP

#allow access only by IP
order deny,allow
allow from [insert your own IP address]
deny from all

Above snippet allow access to only those user whose IP added here.

4. Protect Particular File

<files config.php>
order allow,deny
deny from all 
</files>

This code will disallow config file from being access. This code helps to secure WordPress config file or PHP project config file. Replace config.php with your own config file name.

5. Disable PHP Execution In Your “uploads” Folder

<Files *.php> 
deny from all 
</Files>

Above snippet can be used to disable PHP execute in upload folder.

6. Prevent access to Particular file type

<Files *.php>
deny from all
</Files>

This code is used to prevent access to PHP files.

7. Prevent access to multiple file types

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$"> 
Order Allow,Deny 
Deny from all 
</FilesMatch>

With the use of above snippet, we can prevent access to multiple file type in a project.

8. Redirecting to a Secure HTTPS Connection

RewriteEngine On 
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

9. Redirect users to a customized 404 error page.

# custom error pages

ErrorDocument 404 /error/404.php  
ErrorDocument 500 /error/500.php

Above snippet is used to redirect user to a custom error page.

10. Add a trailing slash to the end of your url.

 #trailing slash enforcement
 RewriteBase /
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_URI} !#
 RewriteCond %{REQUEST_URI} !(.*)/$
 RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301]

This snippet is used to add slash at end of URLS.

11. Disallow GET Method

<Limit GET>     
deny from all 
</Limit>

Using limit directive we can easily disallow any method like Get or POST.

12. 301 Permanent Redirect

Redirect 301 /file1.html  http://yourdomain.com/file2.html

This code will permanently redirect file1.html to file2.html.

13. Enable gzip compression

<IfModule mod_deflate.c>  
 # Compress HTML, CSS, JavaScript, Text, XML and fonts   AddOutputFilterByType DEFLATE application/javascript   AddOutputFilterByType DEFLATE application/rss+xml   AddOutputFilterByType DEFLATE application/vnd.ms-fontobject   AddOutputFilterByType DEFLATE application/x-font   AddOutputFilterByType DEFLATE application/x-font-opentype   AddOutputFilterByType DEFLATE application/x-font-otf   AddOutputFilterByType DEFLATE application/x-font-truetype   AddOutputFilterByType DEFLATE application/x-font-ttf   AddOutputFilterByType DEFLATE application/x-javascript   AddOutputFilterByType DEFLATE application/xhtml+xml   
AddOutputFilterByType DEFLATE application/xml   
AddOutputFilterByType DEFLATE font/opentype   
AddOutputFilterByType DEFLATE font/otf   
AddOutputFilterByType DEFLATE font/ttf   
AddOutputFilterByType DEFLATE image/svg+xml   
AddOutputFilterByType DEFLATE image/x-icon   
AddOutputFilterByType DEFLATE text/css   
AddOutputFilterByType DEFLATE text/html   
AddOutputFilterByType DEFLATE text/javascript   
AddOutputFilterByType DEFLATE text/plain   
AddOutputFilterByType DEFLATE text/xml   

# Remove browser bugs (only needed for really old browsers)   
BrowserMatch ^Mozilla/4 gzip-only-text/html   
BrowserMatch ^Mozilla/4\.0[678] no-gzip   
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html   Header append Vary User-Agent </IfModule>


14.  Cache Files

# 1 Month for most static assets 
<filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$"> 
Header set Cache-Control "max-age=2592000, public" 
</filesMatch>

15. Redirect to HTTPS with WWW

 RewriteEngine On
 RewriteCond %{HTTP_HOST} !^www.
 RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

Leave a Comment