The .htaccess file can prove to be a valuable ally in controlling access to your site's resources, allowing you to skip on using over-bloated security management applications and have a few lines of code do the work instead.
If you need info about what an .htaccess file is, we're not going to provide it here since Wikipedia has a pretty solid entry that explains it pretty well.
Redirect users to custom error pages
Instead of serving Apache, Lightspeed or Nginx default error pages to their users, webmasters have the ability to redirect these requests to a custom document. This can be a text file, an HTML page, a Perl script, or whatever you want, as long as the server is capable of reading it and sending it to the user.
ErrorDocument 403 /error_pages/403.html
ErrorDocument 404 /error_pages/404.html
ErrorDocument 500 /error_pages/500.html
Make sure WWW and non-WWW domains point to the same thing
The “www” is not obligatory anymore in URLs, but there are cases when the WWW and non-WWW versions of a site can lead to different places. This can be because of a badly configured server, DNS settings, or problematic shared hosting accounts. Just in case, to avoid this situation, store this snippet somewhere.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^softpedia\.com
RewriteRule (.*) http://www.softpedia.com/$1 [R=301,L]
The reverse operation is:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.softpedia\.com
RewriteRule (.*) http://softpedia.com/$1 [R=301,L]
Send users to a subdomain instead
Sometimes when a user is accessing a section of your site, you'll want them sent to a custom subdomain. This can also be done using .htaccess.
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^subdomain\.domain\.com$ [NC]
RewriteRule ^/(.*)$ http://subdomain.domain.tld/$1 [L,R=301]
HTTP to HTTPS redirections
It's not that simple. Redirecting users to the HTTPS version of your site doesn't automatically make it “safe.” You'll need to look into SSL implementation for that.
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Force media files to download in the user's browser
Some browsers (OK, almost all these days) have a tendency to force files to open inside them instead of allowing users to download them. To make sure the file is saved locally every time, and not streamed to the user, this trick can help:
AddType application/octet-stream .avi
AddType application/octet-stream .mp3
File hotlinking protection is also achievable
Yes, it's that simple to protect your files from being hotlinked on the Web. Usually, you'd think this requires complex PHP or JavaScript-based solutions, money to pay developers to implement it, a lot of time to add each file to various firewalls and dashboards, but no, it's just these three lines of code.
RewriteCond %{HTTP_REFERER} !^
RewriteCond %{HTTP_REFERER} !^http://(www\.)?softpedia\.com/ [nc]
RewriteRule .*\.(gif|jpg|png)$ http://www.softpedia.com/hotlink_dummy_immage.png [nc]
Compress text, HTML, JavaScript, CSS, and XML code
The snippet below is for Apache servers and will automatically compress HTML, JavaScript, CSS, and XML files when sending them to your users.
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/x-component
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
< /IfModule>
Disable directory browsing in any website
Regardless if you're using the .htaccess file in WordPress, Drupal, Joomla, or with Java, Python, or Ruby code, the following line of code in your .htaccess file will prevent any user from exploring your Web directories and looking at what files you have stored inside them.
Disable PHP execution inside a folder or for a specific file
Using the .htaccess file filtering capabilities, webmasters can target PHP (HTML, JavaScript, images, etc.) files and then “do” something to them. Since generally most of the times webmasters want to prevent access using .htaccess files, this small snippet can be quite useful.
< Files *.php>
deny from all
< /Files>
#ONE SPECIFIC PHP FILE
< Files file_name.php>
deny from all
< /Files>
Put the ban hammer on one or more IP addresses
If there are only a couple of users who tend to abuse your service, you don't have to implement a firewall just for them. This can be done in .htaccess like so:
order allow,deny
#BAN SINGLE IP
deny from xxx.xxx.xxx.xxx
#BAN ENTIRE CLASS OF IPS
deny from xxx.xxx.xxx.xxx/24
allow from all
</Limit>