Example .htaccess Code Snippets

Here are some specific examples taken from the Htaccess Guide.

Redirect Everyone Except IP address to alternate page

When developing sites

This lets google crawl the page, lets me access without a password, and lets my client access the page WITH a password. It also allows for XHTML and CSS validation! (w3.org)

Fix double-login prompt

Redirect non-https requests to https server and ensure that .htpasswd authorization can only be entered across HTTPS

Set Timezone of the Server (GMT)

Administrator Email for ErrorDocument

ServerSignature for ErrorDocument

Charset and Language headers

Article: Setting Charset in htaccess, and article by Richard Ishida

Disallow Script Execution

Deny Request Methods

Force “File Save As” Prompt

Show CGI Source Code

Serve all .pdf files on your site using .htaccess and mod_rewrite with the php script.

Rewrite to www

Rewrite to www dynamically

301 Redirect Old File

301 Redirect Entire Directory

Protecting your php.cgi

Set Cookie based on Request

This code sends the Set-Cookie header to create a cookie on the client with the value of a matching item in 2nd parantheses.

Set Cookie with env variable

Custom ErrorDocuments

Implementing a Caching Scheme with .htaccess

Password Protect single file

Password Protect multiple files

Send Custom Headers

Blocking based on User-Agent Header

Blocking with RewriteCond

.htaccess for mod_php

.htaccess for php as cgi

Shell wrapper for custom php.ini

Add values from HTTP Headers

Stop hotlinking

Turn logging off for IP

Turn logging on for IP

Example .htaccess Files

Here are some samples and examples taken from different .htaccess files I’ve used over the years. Specific solutions are farther down on this page and throughout the site.

Here are some default MOD_REWRITE code examples.

Examples of protecting your files and securing with password protection.

Advanced Mod_Rewrites

Here are some specific htaccess examples taken mostly from my WordPress Password Protection plugin, which does alot more than password protection as you will see from the following mod_rewrite examples. These are a few of the mod_rewrite uses that BlogSecurity declared pushed the boundaries of Mod_Rewrite! Some of these snippets are quite exotic and unlike anything you may have seen before, also only for those who understand them as they can kill a website pretty quick.

Directory Protection

Enable the DirectoryIndex Protection, preventing directory index listings and defaulting. [Disable]

Password Protect wp-login.php

Requires a valid user/pass to access the login page[401]

Password Protect wp-admin

Requires a valid user/pass to access any non-static (css, js, images) file in this directory.[401]

Protect inc

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [401]

Protect other

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [403]

Common Exploits

Block common exploit requests with 403 Forbidden. These can help alot, may break some plugins. [403]

Stop Hotlinking

Denies any request for static files (images, css, etc) if referrer is not local site or empty. [403]

Safe Request Methods

Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403]

Forbid Proxies

Denies any POST Request using a Proxy Server. Can still access site, but not comment. See Perishable Press [403]

Real wp-comments-post.php

Denies any POST attempt made to a non-existing wp-comments-post.php[403]


Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only[403]


Denies any request for a url containing characters other than “a-zA-Z0-9.+/-?=&” – REALLY helps but may break your site depending on your links. [403]

BAD Content Length

Denies any POST request that doesnt have a Content-Length Header[403]

BAD Content Type

Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data[403]


Denies requests that dont contain a HTTP HOST Header.[403]

Bogus Graphics Exploit

Denies obvious exploit using bogus graphics[403]

No UserAgent, Not POST

Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING. [403]

No Referer, No Comment

Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. [403]

Trackback Spam

Denies obvious trackback spam. See Holy Shmoly! [403]

Map all URIs except those corresponding to existing files to a handler

Map any request to a handler

In the case where all URIs should be sent to the same place (including potentially requests for static content) the method to use depends on the type of the handler. For php scripts, use: For other handlers such as php scripts, use:

And for CGI scripts:

Map URIs corresponding to existing files to a handler instead

If the existing files you wish to have handled by your script have a common set of file extensions distinct from that of the hander, you can bypass mod_rewrite and use instead mod_actions. Let’s say you want all .html and .tpl files to be dealt with by your script:

Deny access if var=val contains the string foo.

Removing the Query String

Adding to the Query String

Keep the existing query string using the Query String Append flag, but add var=val to the end.

Rewriting For Certain Query Strings

Rewrite URLs like http://askapache.com/url1?var=val to http://askapache.com/url2?var=val but don’t rewrite if val isn’t present.

Modifying the Query String

Change any single instance of val in the query string to other_val when accessing /path. Note that %1 and %2 are back-references to the matched part of the regular expression in the previous RewriteCond.


Fonte: http://tlw-htaccess.blogspot.com.br/2014/11/example-htaccess-code-snippets.html

Rate this post
Facebook Comments