Browser-onlyNo uploadsAlways free
About Us·Contact

100+ tools · No signup · Always free

Smart .htaccess Generator

Generate secure, SEO-friendly, and performance-optimized Apache .htaccess rules without writing code.

Redirect RulesSecurity HeadersGZIP CompressionBrowser CachingApache Ready

How to use

1

Start with a pack (optional)

Click the WordPress, SEO, Security or Performance pack for a recommended starting set, then fine-tune. Or build from scratch by toggling individual modules.

2

Enable & configure modules

Switch on the rules you need — HTTPS, www redirect, 301/302 redirects, security headers, GZIP, caching, bot and IP blocking — and fill in any paths or values. The preview updates live.

3

Review the validation

The validator flags duplicate redirect sources, self-referencing loops, repeated error codes and Apache-compatibility notes so you ship a clean config.

4

Copy or download

Copy the result or download the ready-named .htaccess file. Upload it to your site's root directory via FTP, cPanel or your host's file manager.

What you can build

Force HTTPS & canonical URLs

Send every visitor to one secure, canonical hostname with combined HTTPS + www 301 redirects — essential for SEO and avoiding duplicate-content penalties.

Harden your site

Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Content-Security-Policy headers, disable directory listing and block dotfiles in one toggle.

Speed up delivery

Enable GZIP compression and browser-cache Expires headers to shrink payloads and reduce repeat requests — a direct Core Web Vitals win.

Manage redirects

Map old URLs to new ones with 301 (permanent) or 302 (temporary) redirects when restructuring a site, retiring pages, or running campaigns.

Block bots & IPs

Deny aggressive scrapers by user-agent and lock out abusive IP addresses with Apache 2.4 Require directives.

Optimise WordPress

Drop in the standard permalink rewrite block plus HTTPS, caching, GZIP, security headers and wp-config protection with one click.

Understanding .htaccess

What is .htaccess?

A per-directory Apache config file. Rules apply to the folder it lives in and all subfolders, take effect instantly with no server restart, and can be overridden deeper in the tree — powerful, but evaluated on every request.

Apache redirect guide

Use Redirect 301 for permanent moves (passes link equity), Redirect 302 for temporary ones, and mod_rewrite RewriteRule for pattern-based or conditional redirects like HTTPS and www canonicalisation.

Security best practices

Always send security headers, disable directory listing (Options -Indexes), block access to dotfiles and config files, and force HTTPS. Wrap header rules in <IfModule mod_headers.c> so they fail safe.

Performance optimisation

GZIP (mod_deflate) compresses text assets; Expires headers (mod_expires) let browsers cache static files. Together they cut bandwidth and round-trips, improving LCP and overall page speed.

SEO benefit: a single canonical, HTTPS, correctly-redirecting site consolidates ranking signals onto one URL, eliminates duplicate-content dilution, and the faster load times from GZIP + caching are themselves a ranking factor.

Related tools

Robots.txt Generator

Control crawler access with a validated robots.txt and live preview.

Sitemap Generator

Build an XML sitemap with SEO validation and scoring.

Meta Tag Generator

Open Graph, Twitter cards and SEO meta tags with live previews.

URL Encoder / Decoder

Encode and decode URL-safe strings for redirects and params.

Frequently asked questions

Quick answers about this free online tool.

.htaccess (hypertext access) is a directory-level configuration file used by the Apache web server. Placed in a folder, it applies its rules to that folder and everything below it — without touching the main server config or needing a restart. It is commonly used for URL redirects, forcing HTTPS, custom error pages, password protection, security headers, GZIP compression and browser caching. This tool generates a complete, ready-to-upload .htaccess from visual options.

No. .htaccess is an Apache feature and is ignored by Nginx, which uses a different configuration model (server blocks in nginx.conf, reloaded by the admin). If you are on Nginx, the equivalent rules live in your server block — redirects use return 301, headers use add_header, gzip uses the gzip directive, and caching uses expires / location blocks. .htaccess also works on Apache-compatible servers like LiteSpeed. Check with your host which server you run before uploading.

Enable the 'Force HTTPS' module here. It generates a mod_rewrite block that checks %{HTTPS} off and issues a 301 redirect to the https:// version of the same URL: RewriteCond %{HTTPS} off followed by RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]. Use a 301 (permanent) so search engines transfer ranking to the secure URL. Make sure you have a valid SSL certificate installed first, or visitors will see a security warning.

Pick a single canonical hostname and redirect the other to it so search engines do not see duplicate content. Enable the 'WWW Redirect' module and choose a direction. non-www → www adds the prefix; www → non-www strips it. Both generate a 301 redirect via mod_rewrite. Combine it with the HTTPS module and visitors are sent to your one canonical https://, www-or-not URL in a single hop.

Enable the 'GZIP Compression' module. It outputs a mod_deflate block using AddOutputFilterByType DEFLATE for text, HTML, CSS, JavaScript, JSON, XML and SVG — the asset types that compress well. GZIP can cut transfer size by 60–80%, speeding up page loads and improving Core Web Vitals. The block is wrapped in <IfModule mod_deflate.c> so it is skipped safely if the module is not installed. Modern hosts enable mod_deflate by default.

Enable the 'Bot Blocking' module and list the user-agents you want to deny (this tool pre-fills common aggressive crawlers like MJ12bot, AhrefsBot and SemrushBot). It generates a mod_setenvif block that flags matching user-agents and denies them with a Require directive. Bot blocking by user-agent is a deterrent, not a guarantee — well-behaved bots respect it, but malicious bots can spoof their user-agent, so pair it with rate-limiting or a WAF for stronger protection.