.htaccess Generator

Generate production-ready Apache .htaccess files for WordPress, Laravel, SPAs, and static sites — with HTTPS redirects, URL rewrites, GZIP, caching, and security headers.

Quick Presets

Generated .htaccess

# .htaccess generated by DevToolEasy
# https://devtooleasy.com/generator/htaccess

AddDefaultCharset UTF-8

# Disable directory listing
Options -Indexes

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Force HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

    # Force non-www
    RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
    RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

</IfModule>

# Enable Gzip / Deflate compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript
    AddOutputFilterByType DEFLATE application/javascript application/json
    AddOutputFilterByType DEFLATE application/xml application/rss+xml
    AddOutputFilterByType DEFLATE image/svg+xml font/ttf font/otf font/woff font/woff2
</IfModule>

# Browser caching
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/html "access plus 1 hour"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/ttf "access plus 1 year"
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Block access to sensitive files
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

<FilesMatch "(\.env|\.git|composer\.json|package\.json)">
    Require all denied
</FilesMatch>

Upload as .htaccess to your site root. Requires Apache with AllowOverride All in your vhost config.

About the .htaccess Generator

The .htaccess Generator is a free online tool that helps web developers and site owners create production-ready Apache .htaccess files without memorizing the syntax for mod_rewrite, mod_headers, mod_expires, and mod_deflate. Whether you're launching a new WordPress site, deploying a Laravel app, or hosting a static React build on shared hosting, this tool gives you a clean, correct configuration in seconds.

.htaccess is a per-directory configuration file read by the Apache HTTP Server. It lets you override server-wide defaults without touching the main httpd.conf — a common pattern on shared hosting and cPanel-managed environments. Everything runs in your browser; no server calls, no tracking of your domain names or file paths.

How to Use the .htaccess Generator

1. Pick a Preset — Start with WordPress, Laravel, SPA, Static Site, or Security Hardening. The preset instantly enables the most common directives for that stack.
2. Set Your Domain & HTTPS Rules — Enter your primary domain, toggle "Force HTTPS" to 301-redirect HTTP traffic, and choose whether to force www or non-www for SEO consistency.
3. Configure URL Rewriting — Enable the front-controller rewrite for WordPress, Laravel, or SPA routing. Optionally enforce trailing-slash consistency.
4. Add Custom Redirects — Use "Add" in the Custom Redirects card to send old URLs to new ones with 301 (permanent) or 302 (temporary) status codes. Perfect for site migrations.
5. Enable Performance Optimizations — Turn on GZIP compression and set browser cache lifetimes per file type (HTML, CSS, JS, images, fonts). Longer caches improve repeat-visit speed.
6. Harden Security — Toggle HSTS, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy, and CSP headers. Block access to .env, .git, and other sensitive files.
7. Copy or Download — Click "Copy" to copy to clipboard, or "Download" to save as .htaccess. Upload to your web root (e.g., public_html/).
8. Verify Apache Settings — Ensure AllowOverride All is set in your Apache virtual host, and that the relevant modules ( mod_rewrite, mod_headers, mod_expires, mod_deflate) are enabled.

Common Use Cases

Site Migrations

Redirect old URLs to new ones with 301s to preserve SEO ranking and avoid broken links.

HTTPS Rollout

Force every visitor onto HTTPS after installing a Let's Encrypt certificate, and enable HSTS for browser-level enforcement.

Performance Tuning

Turn on GZIP and set aggressive browser cache lifetimes to pass Lighthouse audits and improve Core Web Vitals.

WordPress Hardening

Block access to wp-config.php, xmlrpc.php, and hidden dotfiles to prevent common attacks.

SPA Hosting

Serve index.html for any non-existent path so React Router / Vue Router can take over client-side routing.

Shared Hosting Setup

Override server defaults on cPanel, DreamHost, SiteGround, or Bluehost without needing SSH or root access.

Frequently Asked Questions

What is an .htaccess file?

.htaccess (hypertext access) is a per-directory configuration file used by the Apache HTTP Server. When Apache encounters an .htaccess file in a directory, it applies those rules to the directory and its subdirectories — enabling URL rewrites, redirects, password protection, caching policies, and more without editing the main server config.

Where do I upload the .htaccess file?

Upload it to your site's document root — typically public_html/, www/, or htdocs/ on shared hosting, or the public/ directory for Laravel. Make sure the filename starts with a dot and has no extension. On many FTP clients you may need to enable "show hidden files" to see it.

Why isn't my .htaccess working?

The most common causes: (1) AllowOverride is set to None in your Apache vhost — it must be All (or at minimum FileInfo for rewrites); (2) the required module isn't loaded (e.g., mod_rewrite); (3) the file is named incorrectly (must be exactly .htaccess, no extension); or (4) you're running Nginx, which doesn't read .htaccess at all.

Does Nginx support .htaccess?

No. .htaccess is Apache-specific. Nginx uses a centralized nginx.conf configuration model for performance — it doesn't check every directory on each request. If you're on Nginx, use our Nginx Config Generator instead.

What's the difference between 301 and 302 redirects?

A 301 is a permanent redirect — search engines transfer SEO value to the new URL and update their index. Use it for migrations and canonical URL changes. A 302 is a temporary redirect — search engines keep the original URL indexed. Use it for A/B tests, maintenance pages, or short-term promotions. When in doubt, prefer 301.

Will HSTS lock me out of my site?

HSTS (Strict-Transport-Security) tells browsers to always use HTTPS for your domain for the specified duration (1 year in this generator). If you later disable HTTPS or let your certificate expire, users' browsers will refuse to load the site over HTTP until the HSTS entry expires. Only enable HSTS once you're confident HTTPS is stable, and avoid the preload directive until you're absolutely sure — preload is irreversible for months.

Does .htaccess slow down my site?

Marginally. Apache checks for .htaccess in every directory along the request path on every request. On high-traffic sites with root access, moving rules into the main vhost config (with AllowOverride None) is faster. On shared hosting you usually have no choice — and the performance hit is negligible for most sites.

Can I have multiple .htaccess files?

Yes. Each directory can have its own .htaccess. Rules from parent-directory files cascade down, with child files overriding conflicting rules. This is useful for scoping rules — e.g., password-protecting only /admin/.

Is this tool free and private?

Yes. All configuration is generated entirely in your browser with JavaScript. Your domain names, redirect lists, and file paths never leave your device. No sign-up, no tracking, no limits.