Take advantage of your server's .htaccess file

Jun 12, 2015 15:13 GMT  ·  By

The .htaccess file can prove to be a valuable ally in controlling access to your site's resources, allowing you to skip on using over-bloated security management applications and have a few lines of code do the work instead.

If you need info about what an .htaccess file is, we're not going to provide it here since Wikipedia has a pretty solid entry that explains it pretty well.

Redirect users to custom error pages

Instead of serving Apache, Lightspeed or Nginx default error pages to their users, webmasters have the ability to redirect these requests to a custom document. This can be a text file, an HTML page, a Perl script, or whatever you want, as long as the server is capable of reading it and sending it to the user.

code
ErrorDocument 401 /error_pages/401.html
ErrorDocument 403 /error_pages/403.html
ErrorDocument 404 /error_pages/404.html
ErrorDocument 500 /error_pages/500.html

Make sure WWW and non-WWW domains point to the same thing

The “www” is not obligatory anymore in URLs, but there are cases when the WWW and non-WWW versions of a site can lead to different places. This can be because of a badly configured server, DNS settings, or problematic shared hosting accounts. Just in case, to avoid this situation, store this snippet somewhere.

code
## REDIRECT NON-WWW to WWW
RewriteEngine On
RewriteCond %{HTTP_HOST} ^softpedia\.com
RewriteRule (.*) http://www.softpedia.com/$1 [R=301,L]
For this, you first need mod_rewrite enabled on your server and also need to make sure the “RewriteEngine On” line is present in your .htaccess file somewhere. We placed it in our snippet just in case you don't have it already.

The reverse operation is:

code
## REDIRECT WWW to NON-WWW
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.softpedia\.com
RewriteRule (.*) http://softpedia.com/$1 [R=301,L]

Send users to a subdomain instead

Sometimes when a user is accessing a section of your site, you'll want them sent to a custom subdomain. This can also be done using .htaccess.

code
RewriteEngine On
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^subdomain\.domain\.com$ [NC]
RewriteRule ^/(.*)$ http://subdomain.domain.tld/$1 [L,R=301]

HTTP to HTTPS redirections

It's not that simple. Redirecting users to the HTTPS version of your site doesn't automatically make it “safe.” You'll need to look into SSL implementation for that.

code
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Force media files to download in the user's browser

Some browsers (OK, almost all these days) have a tendency to force files to open inside them instead of allowing users to download them. To make sure the file is saved locally every time, and not streamed to the user, this trick can help:

code
AddType application/octet-stream .pdf
AddType application/octet-stream .avi
AddType application/octet-stream .mp3
You can pass any type of file extension you like. The server will force the browser to download it regardless.

File hotlinking protection is also achievable

Yes, it's that simple to protect your files from being hotlinked on the Web. Usually, you'd think this requires complex PHP or JavaScript-based solutions, money to pay developers to implement it, a lot of time to add each file to various firewalls and dashboards, but no, it's just these three lines of code.

code
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^
RewriteCond %{HTTP_REFERER} !^http://(www\.)?softpedia\.com/ [nc]
RewriteRule .*\.(gif|jpg|png)$ http://www.softpedia.com/hotlink_dummy_immage.png [nc]

Compress text, HTML, JavaScript, CSS, and XML code

The snippet below is for Apache servers and will automatically compress  HTML, JavaScript, CSS, and XML files when sending them to your users.

code
< IfModule mod_deflate.c >
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/x-component
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
< /IfModule>

Disable directory browsing in any website

Regardless if you're using the .htaccess file in WordPress, Drupal, Joomla, or with Java, Python, or Ruby code, the following line of code in your .htaccess file will prevent any user from exploring your Web directories and looking at what files you have stored inside them.

code
Options -Indexes

Disable PHP execution inside a folder or for a specific file

Using the .htaccess file filtering capabilities, webmasters can target PHP (HTML, JavaScript, images, etc.) files and then “do” something to them. Since generally most of the times webmasters want to prevent access using .htaccess files, this small snippet can be quite useful.

code
#ALL PHP FILES
< Files *.php>
deny from all
< /Files>

#ONE SPECIFIC PHP FILE
< Files file_name.php>
deny from all
< /Files>

Put the ban hammer on one or more IP addresses

If there are only a couple of users who tend to abuse your service, you don't have to implement a firewall just for them. This can be done in .htaccess like so:

code
< Limit GET POST>
order allow,deny
#BAN SINGLE IP
deny from xxx.xxx.xxx.xxx
#BAN ENTIRE CLASS OF IPS
deny from xxx.xxx.xxx.xxx/24
allow from all
</Limit>
But don't get used to using .htaccess files that regularly. All these code snippets can be used in your httpd.conf as well, and .htaccess files should be used only in cases where per-directory rules are needed and access to httpd.conf is not allowed or possible.