.htaccess generator: Apache rewrite + caching + security rules.
Apache .htaccess is still the dominant per-directory configuration mechanism for Apache-served sites. WordPress, most cPanel hosts, and a large fraction of small-business hosting still uses Apache. This generator outputs syntactically correct rules for the most common 2026 use cases: HTTPS enforcement, 301 redirects, caching headers, security headers, and compression.
About this tool.
Apache .htaccess remains the dominant per-directory configuration mechanism for Apache-served sites in 2026. WordPress, cPanel hosting, and most shared hosting providers run Apache. Even when running behind nginx as a reverse proxy, many configurations leave Apache as the application server requiring .htaccess for redirects and rewrites.
The most-requested .htaccess rules are HTTPS enforcement (Force redirect HTTP to HTTPS), 301 redirect maps (preserving SEO equity through URL changes), browser caching (year-long cache on static assets, no-cache on HTML), security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), and compression (gzip and brotli).
HTTPS enforcement is non-negotiable in 2026. Google ranks HTTPS pages above HTTP equivalents, Chrome flags HTTP pages as Not Secure, and most browser features (geolocation, service workers, camera access) require HTTPS. The rewrite rule above redirects every HTTP request to HTTPS with a 301 permanent redirect.
301 redirects preserve SEO equity. When you change a URL, a 301 tells Google to transfer the ranking signals from the old URL to the new one. Google preserves approximately 90 to 99 percent of link equity through 301 chains under 3 hops. Avoid redirect chains longer than 3 hops — they slow page loads and risk equity loss.
Browser caching directives reduce server load and improve user experience. Static assets (CSS, JS, fonts, images) that rarely change should cache for 1 year. HTML should never cache aggressively because it changes frequently. The generator above outputs this distinction correctly.
Security headers matter for both security and ranking. Google's Page Experience signals reward sites that implement modern security headers. HSTS prevents downgrade attacks, X-Frame-Options prevents clickjacking, X-Content-Type-Options prevents MIME sniffing, Referrer-Policy controls what URL information leaks to other sites. ThatDeveloperGuy applies these headers to every site we build.
FAQ.
Does .htaccess work on nginx?
No. .htaccess is Apache-specific. nginx uses its own configuration syntax in /etc/nginx/. ThatDeveloperGuy uses nginx for all client sites and applies equivalent rules via nginx config.
Where do I put the .htaccess file?
In the root directory of your web server (typically /public_html/, /www/, or /htdocs/). Apache reads it on every request. Place per-directory rules in subdirectory .htaccess files.
Why do my redirects not work?
Most common cause: mod_rewrite not enabled. Check that AllowOverride All is set in your Apache vhost config. On shared hosting, contact your provider to enable mod_rewrite.
Is .htaccess slow?
Slightly. Apache reads .htaccess on every request. For high-traffic sites, move the rules into the main Apache config (httpd.conf) and disable .htaccess via AllowOverride None. For small sites the performance impact is negligible.
Should I use 301 or 302 redirects?
Use 301 for permanent URL changes (preserves SEO equity). Use 302 only for genuinely temporary redirects (A/B tests, maintenance pages). 301 is the right answer 95 percent of the time.
What if a security header breaks my site?
Remove that specific header and re-add headers one at a time. The most common breaker is HSTS preload — once preloaded into the browser HSTS list, you cannot un-preload for 6+ months. Test in development first.
Built by Joseph W. Anady at ThatDeveloperGuy. Need professional help? Get a free 48-hour audit.