An .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, used for configuration of website-access settings such as URL redirection, access control, and MIME type handling. The leading dot makes it a hidden file in Unix-like environments.
A site may contain more than one <kbd>.htaccess</kbd> file. The files are placed inside the web treeâÂÂinside directories and their subdirectoriesâÂÂwhich is why they are also called distributed configuration files.
Each <kbd>.htaccess</kbd> file acts as a local override of the server's main configuration file (such as <kbd>httpd.conf</kbd>) for the directory it occupies and all subdirectories beneath it.
The original purposeâÂÂreflected in the nameâÂÂwas per-directory access control, for example requiring a password to reach web content. In practice <kbd>.htaccess</kbd> files are now used to configure many other settings: content types, character encoding, CGI handlers, and URL rewriting rules.
History
The <kbd>.htaccess</kbd> file format originated with the NCSA HTTPd server, where it was introduced to let shared-hosting users control access to their own directories without modifying the server-wide configuration. When the Apache HTTP Server project was founded in 1995 as a continuation of NCSA HTTPd, it retained the format and filename for compatibility. Other web servers, including Oracle iPlanet Web Server and the Zeus Web Server, later added <kbd>.htaccess</kbd> support even though their native configuration formats differ substantially.
Format and language
<kbd>.htaccess</kbd> files use a subset of the Apache HTTP Server directive syntax, which is the same format as the server's main <kbd>httpd.conf</kbd> configuration file. Directives are plain-text instructions, one per line, that Apache interprets on each request.
Some directivesâÂÂparticularly those provided by mod_rewriteâÂÂaccept regular expressions using PCRE syntax. PCRE is used only within those specific directives (such as <code>RewriteRule</code> and <code>RewriteCond</code>); it is not a property of the <kbd>.htaccess</kbd> format itself.
For historical reasons the format is recognized by servers such as Oracle iPlanet Web Server and Zeus Web Server, even though those servers use different native configuration formats.
Common usage
Authorization and authentication: A <kbd>.htaccess</kbd> file commonly restricts access to a directory. It is often paired with a <kbd>.htpasswd</kbd> file that stores usernames and password hashes.
URL rewriting: Servers use <kbd>.htaccess</kbd> with mod_rewrite to rewrite long or complex URLs to shorter, more readable forms.
Access control: The <code>Allow</code> and <code>Deny</code> directives (or <code>Require</code> in Apache 2.4) restrict access by IP address, domain, or other criteria, and can block unwanted bots or referrers.
Server-side includes: The <code>Options +Includes</code> directive enables server-side include processing for a directory.
Directory listing: The <code>Options</code> directive controls whether the server generates an automatic index when no default document is present.
Custom error responses: The <code>ErrorDocument</code> directive maps HTTP error codesâÂÂsuch as 404 Not Found or 301 Moved PermanentlyâÂÂto custom pages.
MIME types: The <code>AddType</code> directive instructs Apache how to serve files with non-standard or missing extensions.
Cache control: <kbd>.htaccess</kbd> files can set <code>Cache-Control</code> and <code>Expires</code> headers via <code>mod_headers</code> or <code>mod_expires</code>, reducing bandwidth use and server load.
HTTPS and HSTS: Enforcing HTTPS on Apache typically requires <code>RewriteRule</code> directives and <code>Header</code> directives in <kbd>.htaccess</kbd>. Syntax errors in these rules can cause failed redirects or broken HSTS deployment.
Advantages
Immediate effect: Because <kbd>.htaccess</kbd> files are read on every request, changes take effect immediatelyâÂÂunlike the main server configuration, which requires a server restart.
Non-privileged users: On shared web hosting servers, <kbd>.htaccess</kbd> allows individual users to adjust their own directory configuration without access to the server's main configuration files.
Disadvantages
Using the main server configuration file <kbd>httpd.conf</kbd> is generally preferred for performance and security reasons:
Performance: Each HTTP request causes Apache to check for <kbd>.htaccess</kbd> files in the requested directory and every parent directory where overrides are permitted. On high-traffic servers this adds measurable filesystem overhead. Directives can be migrated from <kbd>.htaccess</kbd> to <kbd>httpd.conf</kbd> to eliminate this cost.
Security: Allowing users to modify server configuration can introduce security issues if the permitted directives are not carefully restricted.
Syntax sensitivity: Apache will return a server error (typically 500) for the entire directory if the <kbd>.htaccess</kbd> file contains a syntax error, making all resources in that directory inaccessible.
See also
References
External links