Skip to main content

Apache .htaccess Generator — HTTPS, Gzip, Cache, CORS

Generate Apache .htaccess — HTTPS redirect, www toggle, gzip, cache headers, hotlink protection.

  • Runs locally
  • Category Generator
  • Best for Starting from a blank page without committing to the first result.
www canonicalization
Blocked User-Agents
Directory listing
<IfModule mod_rewrite.c>
  RewriteEngine On

  # Force HTTPS
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  # Strip www
  RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [L,R=301]
</IfModule>

<IfModule mod_deflate.c>
  # Gzip compression
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
  AddOutputFilterByType DEFLATE application/javascript application/json application/xml
  AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml
  AddOutputFilterByType DEFLATE image/svg+xml font/woff font/woff2 application/font-woff
</IfModule>

<IfModule mod_expires.c>
  # Browser cache (mod_expires)
  ExpiresActive On
  ExpiresDefault "access plus 1 month"
  ExpiresByType text/html "access plus 0 seconds"
  ExpiresByType text/css "access plus 1 year"
  ExpiresByType application/javascript "access plus 1 year"
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType image/x-icon "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"
  ExpiresByType font/woff2 "access plus 1 year"
  ExpiresByType application/json "access plus 0 seconds"
</IfModule>

# Custom error pages
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html

# Directory listing off
Options -Indexes

What this tool does

Free Apache .htaccess builder. Tick the blocks you want — force HTTPS, pick a canonical host (force-www or strip-www), enable gzip via mod_deflate, set browser cache lifetimes per mimeType via mod_expires, block hotlinking by Referer, swap in custom 404 / 500 / 503 error pages, blacklist abusive User-Agents, toggle directory listing, and open CORS for an origin. Output is rebuilt live as you click and ships with comment headers explaining every rule. Copy to clipboard or download the file directly. 100% client-side: nothing is uploaded and there are no external API calls.

Tool details

Input
Files + Text + Numbers
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy + Download
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
Browser-side processing
The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share
No account required
Open the page and use it; whether results survive refresh depends on the tool.
Performance budget
Initial JS <= 18 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Generator · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How .htaccess Generator fits into your work

Use it to get a strong first draft, starter asset, or structured output that you can edit before publishing.

Generation jobs

  • Starting from a blank page without committing to the first result.
  • Creating repeatable drafts, names, templates, or placeholder assets.
  • Exploring options before choosing the one that fits the job.

Generation checks

  • Review generated output before it reaches a customer, page, or document.
  • Change defaults when you need a specific brand voice, format, or audience.
  • Keep only the parts that match the real task.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 robots.txt Generator Generate robots.txt with templates for common crawlers (Google, Bing, AI scrapers). Open
  2. 2 Meta Tag Generator Generate SEO meta tags — title, description, Open Graph, Twitter Card, Schema.org. Open
  3. 3 JSON Formatter & Validator Format, validate, and minify JSON instantly — right in your browser. Open

Real-world use cases

  • Force HTTPS on a shared-hosting WordPress site after installing an SSL cert

    Your host just issued a free Let's Encrypt cert but the site still loads over http and shows mixed-content warnings. You have no access to httpd.conf. Tick "Force HTTPS" plus "Force www", paste the two rewrite blocks above WordPress's own rules, and every http request 301-redirects to https://www in one hop. Verify with curl -I and watch for a single 301, not a redirect loop.

  • Cut repeat-visit load time by setting per-type browser cache lifetimes

    A landing page reloads its 1.2 MB hero image and CSS on every visit because nothing sets an Expires header. Enable the mod_expires block, give images 1 year, CSS/JS 1 month, and HTML 1 hour. Returning visitors now pull static assets from disk cache, so a 40-request page drops to 3 network requests and feels instant on the second view.

  • Stop another site from hotlinking your images and burning your bandwidth

    Analytics show 60% of your image bandwidth comes from a forum that embeds your product photos directly. Turn on hotlink protection, allow your own domain plus Google Images, and serve a 1px placeholder to everyone else. The forum's embeds break, your origin transfer drops sharply, and legitimate visitors notice nothing.

  • Open CORS for one front-end origin calling a same-server JSON endpoint

    Your React app on app.example.com fetches /api/config.json served by Apache on example.com and the browser blocks it with a CORS error. Add a scoped Access-Control-Allow-Origin for https://app.example.com (not the wildcard *) plus Allow-Methods GET, OPTIONS. The fetch now succeeds, and you avoid the blanket * that would expose the endpoint to every site on the web.

Common pitfalls

  • Using 302 instead of 301 for the HTTPS redirect — 302 is "temporary" so search engines keep indexing the http URL. This generator emits R=301 by default.

  • Combining force-www and strip-www at once, which creates an infinite redirect loop (www → non-www → www). Pick exactly one canonical host.

  • Caching HTML for a year like you do for images — visitors get stale pages after a deploy. Keep HTML at access plus 1 hour or shorter and version your static filenames.

Privacy

Everything runs in your browser. The hosts, paths, origins, and User-Agent strings you type are used only to assemble the rule text locally and are never uploaded — there are no API calls and no analytics on your input. The generated config never appears in the page URL, so pasting a domain or a CORS origin here won't leak it into your history or any share link. Copy or download the result; nothing is stored after you close the tab.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Made by Toolora · 100% client-side · Updated 2026-07-02