.htaccess Rules Generator

.htaccess Generator

Domain

Default redirect type

Force HTTPS

WWW mode

Custom redirects

No custom redirects added.

Disable directory listing

Block dot files (.env, .git)

Protect .htaccess

Block xmlrpc.php

HTTP Security Headers

X-Frame-Options

SAMEORIGIN — blocks iframe embedding

X-Content-Type-Options

nosniff — prevents MIME sniffing

Referrer-Policy

strict-origin-when-cross-origin

X-XSS-Protection

Legacy XSS filter header

HSTS

Forces HTTPS for 1 year via header

RewriteEngine On

# Force HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Disable directory listing
Options -Indexes

# Block access to hidden dot files
RewriteCond %{REQUEST_URI} (^|/)\. [NC]
RewriteRule ^ - [F,L]

# Protect .htaccess itself
<Files .htaccess>
  Order allow,deny
  Deny from all
</Files>