15 Useful htaccess Tips & Tricks

15 Useful htaccess Tips & Tricks

Some dev don’t know about the power of htaccess. Apache server has great feature to manipulate information using htaccess.

.htaccess is a configuration file used on web server to alter the configuration of Apache web server.

Using .htaccess we can easily override server configuration settings.

.htaccess file is used to control user access on per directory basis. We can do number of things using .htaccess file.

In this article, we will see 15 useful htaccess tips and tricks which can be used to protect server from malicious attack or secure project.

1. Disable Directory Browsing

Options -Indexes

This snippet disable directory listing so, we must use in each directory to secure it.

2. Block cross-site scripting (XSS)

# Blocks some XSS attacks

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>

OR

<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
	RewriteRule .* index.php [F,L]
</IfModule>

3. Access Only By IP

#allow access only by IP
order deny,allow
allow from [insert your own IP address]
deny from all

Above snippet allow access to only those user whose IP added here.

4. Protect Particular File

<files config.php>
order allow,deny
deny from all
</files>

This code will disallow config file from being access. This code helps to secure WordPress config file or PHP project config file. Replace config.php with your own config file name.

5. Disable PHP Execution In Your “uploads” Folder

<Files *.php> 
deny from all
</Files>

Above snippet can be used to disable PHP execute in upload folder.

6. Prevent access to Particular file type

<Files *.php>
deny from all
</Files>

This code is used to prevent access to PHP files.

READ ALSO :   How to Set Up a Custom 404 Error Page Using htaccess

7. Prevent access to multiple file types

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$"> 
Order Allow,Deny
Deny from all
</FilesMatch>

With the use of above snippet, we can prevent access to multiple file type in a project.

8. Redirecting to a Secure HTTPS Connection

RewriteEngine On 
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

9. Redirect users to a customized 404 error page.

# custom error pages

ErrorDocument 404 /error/404.php  
ErrorDocument 500 /error/500.php

Above snippet is used to redirect user to a custom error page.

10. Add a trailing slash to the end of your url.

 #trailing slash enforcement
 RewriteBase /
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_URI} !#
 RewriteCond %{REQUEST_URI} !(.*)/$
 RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301] 

This snippet is used to add slash at end of URLS.

11. Disallow GET Method

<Limit GET>     
deny from all
</Limit>

Using limit directive we can easily disallow any method like Get or POST.

12. 301 Permanent Redirect

Redirect 301 /file1.html  http://yourdomain.com/file2.html 

This code will permanently redirect file1.html to file2.html.

13. Enable gzip compression

<IfModule mod_deflate.c>  
# Compress HTML, CSS, JavaScript, Text, XML and fonts AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE application/x-font AddOutputFilterByType DEFLATE application/x-font-opentype AddOutputFilterByType DEFLATE application/x-font-otf AddOutputFilterByType DEFLATE application/x-font-truetype AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html Header append Vary User-Agent </IfModule>


14.  Cache Files

# 1 Month for most static assets 
<filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">
Header set Cache-Control "max-age=2592000, public"
</filesMatch>

15. Redirect to HTTPS with WWW

 RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
READ ALSO :   5 Tips to Secure AJAX PHP Call

Leave a Reply

Your email address will not be published. Required fields are marked *