Where do I put the .htaccess file?

Place it in the directory you want the rules to apply to — usually your site root (public_html or the document root). Rules cascade into subdirectories unless overridden by a closer .htaccess file.

Why aren't my rewrite rules working?

The mod_rewrite module must be enabled and AllowOverride must permit .htaccess in the Apache config. On many shared hosts both are on by default; on a VPS you may need 'a2enmod rewrite' and AllowOverride All in your vhost.

What order should HTTPS and www redirects go in?

Combine them so a single redirect sends visitors to the canonical https://example.com URL. Chaining two separate redirects causes an extra hop, which slightly hurts performance and SEO.

Will these rules break my existing site?

Always back up your current .htaccess first. Syntax errors in .htaccess cause a 500 Internal Server Error for the whole directory, so test on staging before deploying to production.

Do security headers in .htaccess replace a real security review?

No. Headers like X-Frame-Options and X-Content-Type-Options are a useful baseline, but they do not replace HTTPS, input validation, dependency patching, or a full security audit.

.htaccess Rules Builder

Build Apache .htaccess rules without memorizing mod_rewrite

The .htaccess file is a per-directory configuration file that Apache reads on every request, letting you change server behaviour without touching the main config. This builder generates the most common production rules — forcing HTTPS, canonicalizing the www prefix, custom error pages, trailing-slash handling, directory-listing control, and a baseline set of security headers — and outputs a single copy-ready block.

How it works

Most redirect and rewrite logic uses the mod_rewrite engine. A typical HTTPS redirect inspects the %{HTTPS} server variable and issues a 301 redirect to the https:// version of the requested URL:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The RewriteCond is a guard — the following RewriteRule only fires when the condition matches. The R=301 flag makes it a permanent redirect (good for SEO), and L stops processing further rules. Canonical www/non-www redirects use a %{HTTP_HOST} condition to match the unwanted host and rewrite to your chosen canonical domain. Error pages use the simpler ErrorDocument directive, and security headers use mod_headers with Header set directives wrapped in an IfModule guard so the file is safe even if the module is absent.

Tips and notes

Put redirect and canonicalization rules near the top, before any app rewrites (for example a front-controller rule), so visitors land on the canonical URL before deeper routing runs.
A 500 Internal Server Error on the whole directory almost always means an .htaccess syntax error — comment out blocks to bisect the problem.
Wrap optional modules in <IfModule mod_headers.c> so a missing module degrades gracefully instead of throwing a 500.
.htaccess is read on every request and is slower than equivalent directives in the main config; on a server you control, prefer the vhost where possible.

.htaccess Rules Builder

Email me this result

Build Apache .htaccess rules without memorizing mod_rewrite

How it works

Tips and notes