You can use a .htaccess file to configure certain web server settings for your website. This includes HTTPS redirects, HSTS headers, cache rules, and protection against hotlinking.
Place the .htaccess file in the directory for which the rules should apply. The rules also apply to subdirectories unless they are overwritten there.
Force HTTPS with .htaccess
If your website is accessible via HTTPS, you can automatically redirect HTTP requests to HTTPS.
Example:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]These rules permanently redirect all HTTP requests to the corresponding HTTPS URL.
Enable HSTS
HTTP Strict Transport Security, or HSTS, is a security mechanism for HTTPS connections. The browser remembers that a domain should only be accessed via HTTPS for a specific period of time.
This can help protect against downgrade attacks where a connection is forced from HTTPS back to HTTP.
A simple HSTS header looks like this:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>max-age=31536000 means that the browser stores the rule for one year.
Enable HSTS for subdomains
If HSTS should also apply to all subdomains, you can add includeSubDomains:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>Only use this option if all subdomains are reliably accessible via HTTPS. Otherwise, visitors may no longer be able to access certain subdomains.
Use HSTS preload
With preload, you can prepare your domain for inclusion in the HSTS preload list:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>Only use preload if you are sure that the domain and all subdomains will remain permanently accessible via HTTPS. Inclusion in the preload list can have long term effects and cannot be reversed immediately.
You can find more information and testing tools here:
https://hstspreload.org
https://securityheaders.comCombine HTTPS redirect and HSTS
A typical .htaccess configuration can look like this:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>After saving the configuration, test it in the browser. Also check whether all images, scripts, stylesheets, and external resources are loaded via HTTPS.
Set cache lifetime with .htaccess
With mod_expires, you can define how long browsers should cache certain files. This can improve loading times because returning visitors do not have to download files such as images, CSS, or JavaScript again on every request.
Add the rules to a .htaccess file. Place the file in the directory for which the cache rules should apply, for example in public_html.
A simple example:
ExpiresActive On
ExpiresDefault "access plus 30 seconds"This gives all files a cache lifetime of 30 seconds. If a visitor reloads the page after more than 30 seconds, the browser requests the files from the server again.
You can also define the cache lifetime by file type:
ExpiresActive On
ExpiresDefault "access plus 1 hour"
ExpiresByType image/gif "access plus 1 hour"
ExpiresByType image/jpeg "access plus 1 hour"
ExpiresByType image/png "access plus 1 hour"
ExpiresByType text/html "access plus 4 minutes"
ExpiresByType text/plain "access plus 4 minutes"
ExpiresByType text/css "access plus 1 hour"
ExpiresByType application/javascript "access plus 1 hour"If you only want to affect a specific file type, you can define a rule just for that type:
ExpiresActive On
ExpiresByType image/gif "access plus 1 minutes"Adjust the values to your website. Short cache times are useful for HTML content that changes frequently. For static files such as images, CSS, or JavaScript, you can usually use longer cache times.
If you use long cache times for CSS or JavaScript, change file names or use version parameters when you update these files. Otherwise, visitors may continue to see an old version from the browser cache.
Protect files from hotlinking
Hotlinking means that another website embeds files directly from your webspace. This often affects images, videos, or larger downloads.
You can use the following rules to prevent certain file types from being embedded by external domains:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com(/.*)?$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|webp|zip|mpg)$ - [F,NC]Replace example\.com with your own domain. You need to escape the dot in the domain with a backslash.
Example:
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com(/.*)?$ [NC]For example.com, the notation remains example\.com.
Protect a folder from being viewed in the browser
In the menu, go to Services → Server Configuration.
Here you can individually enable or disable the directory list for all folders.
Click on the folder and then on the button Server configuration. Then you can click on Directory Index.
Here you can enable or disable the index. The directory index is disabled by default.
Allow additional domains
If files should also be embedded by other domains that belong to you, add additional conditions:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com(/.*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.net(/.*)?$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|webp|zip|mpg)$ - [F,NC]Notes
Use this method mainly to protect images, videos, archives, or other static files.
You should usually not protect HTML or PHP files this way. Otherwise, normal links from other websites to your content may be blocked.
Also note that the HTTP referer is not always reliable. Some browsers, firewalls, or privacy extensions can remove or modify it.