Generate a recommended Apache .htaccess for your domain — force HTTPS, canonicalize www, enable gzip and browser caching, and add baseline security headers. Download and drop it on your server.
⚡ Interactive demo — sample data
Generated a recommended Apache .htaccess with HTTPS, host canonicalization, compression, caching and security headers. Back up your existing file before replacing it.
Force HTTPS: 301 redirect from http to httpsLooks good
Canonical host: www → non-www 301 (flip the rule if you prefer www)Looks good
Compression + caching: gzip/DEFLATE plus mod_expires browser cache headersLooks good
Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-PolicyLooks good
Apache only — this file has no effect on Nginx serversWarning
Generate a recommended Apache .htaccess for your domain — force HTTPS, canonicalize www, enable gzip and browser caching, and add baseline security headers. Download and drop it on your server.
How it works
Enter your domain
Type your domain (example.com). We use it to build the canonical host rules so the generated file redirects www to non-www for your exact domain — no placeholder editing needed for the host part.
Review the generated .htaccess
You get a complete, commented Apache .htaccess that forces HTTPS, canonicalizes the host, enables gzip compression and browser caching, and adds baseline security headers. Each block is labeled so you understand what it does.
Download and add it to your server
Download the file (or copy the contents), back up any existing .htaccess first, then upload it to your site's root directory. Reload your site to confirm HTTPS and the www/non-www redirect work as expected.
What we check
Force HTTPS — Adds a RewriteCond/RewriteRule that 301-redirects all http requests to https, so visitors and search engines always land on the secure version and you don't leak duplicate http URLs.
www canonicalization — Redirects www to your bare domain with a 301 (you can flip the rule if you prefer www). Picking one canonical host stops search engines from splitting signals across two versions of every URL.
Gzip / DEFLATE compression — Enables mod_deflate to compress HTML, CSS, JavaScript, JSON and SVG before sending them, cutting transfer size and improving load time for text-based assets.
Browser caching (mod_expires) — Sets Expires headers via mod_expires so returning visitors cache images for a year and CSS/JS for a month, reducing repeat downloads and speeding up subsequent page views.
Security headers (mod_headers) — Adds X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN and a sensible Referrer-Policy — baseline protections against MIME-sniffing, clickjacking and referrer leakage.
Apache module guards — Wraps the compression, caching and header blocks in <IfModule> checks so the file won't 500 your site if a module isn't loaded — it simply skips that block instead.
Common issues we catch
This is Apache-only — not Nginx — .htaccess is read by Apache (and LiteSpeed). Nginx ignores it entirely; on Nginx these rules belong in the server block config instead. Confirm your host runs Apache before uploading, or the file will do nothing.
Overwriting an existing .htaccess — Many sites already have rules — WordPress permalinks, redirects, password protection. Dropping this file on top can wipe them and break the site. Always back up the current .htaccess and merge rather than replace if it has content.
Redirect loops from conflicting rules — If a CDN or load balancer already terminates HTTPS, the HTTPS check can misfire and loop. When that happens, the condition needs to read a forwarded header (like X-Forwarded-Proto) instead of %{HTTPS} — adjust for your stack.
Choosing the wrong canonical direction — The default redirects www to non-www. If your site is established on www (and your backlinks, Search Console property and ads point there), redirecting away from it loses that consistency. Flip the rule to match what you already use.
AllowOverride disabled on the server — If the Apache config has AllowOverride None for your directory, the server ignores .htaccess completely and your rules silently do nothing. You'd need host-level access to enable it or to move the rules into the main config.
Caching headers too aggressive for changing files — A one-year cache on assets is great until you update a CSS or JS file and returning visitors keep the stale cached copy. The standard fix is to version filenames (style.v2.css) so a change forces a fresh download.
Missing or duplicate trailing rules — Order matters in .htaccess — the HTTPS and www rules should run before app-specific rewrites (like WordPress's). Pasting this block below an existing front-controller rule can cause the redirects to never fire.
Where this matters
Apache HTTP Server — The native target. All directives here — RewriteEngine, mod_deflate, mod_expires, mod_headers — are standard Apache and work on any Apache install that has those modules enabled.
LiteSpeed — LiteSpeed servers read .htaccess with Apache-compatible syntax, so the same file generally works without changes — common on many shared hosts marketed as 'Apache-compatible'.
cPanel & shared hosting — Most cPanel and shared hosts run Apache or LiteSpeed and let you upload .htaccess to public_html. This is the typical environment where dropping in this file just works.
WordPress — WordPress already manages an .htaccess block for permalinks. Add these rules around (not inside) the # BEGIN WordPress / # END WordPress markers so WordPress doesn't overwrite them on save.
Nginx (not supported) — Nginx does not read .htaccess. If your host runs Nginx, these directives must be translated into the server/location config — this file won't take effect there.
Frequently asked questions
What is an .htaccess file?
It's a per-directory configuration file that Apache reads to apply rules like redirects, compression, caching and headers without touching the main server config. Placed in your site root, it affects your whole site. Only Apache and Apache-compatible servers like LiteSpeed use it.
Does this work on Nginx?
No. Nginx ignores .htaccess entirely — its equivalent rules live in the server block configuration, which usually requires host-level access. This generator produces Apache syntax, so confirm your hosting runs Apache or LiteSpeed before using it.
Where do I put the file?
Upload it to your website's root directory (often public_html or www) so it applies to the whole site. Make sure it's named exactly .htaccess with the leading dot and no extension, or Apache won't recognize it.
Should I redirect to www or non-www?
Either is fine for SEO — what matters is picking one and being consistent. The default here redirects www to non-www. If your backlinks, Search Console property and existing setup use www, flip the rule so you redirect toward www instead.
Will this break my existing redirects?
It can, if you replace an .htaccess that already has rules. Always download a backup of your current file first, and merge these blocks in rather than overwriting — especially on WordPress, where the permalink block must stay intact.
Why am I getting a redirect loop after adding it?
The most common cause is a CDN or proxy that terminates HTTPS upstream, so Apache sees the request as http and keeps redirecting. In that setup the HTTPS condition needs to check a forwarded header like X-Forwarded-Proto instead of %{HTTPS}. Adjust the condition for your stack.
Do compression and caching really help speed?
Yes. Gzip/DEFLATE shrinks text assets (HTML, CSS, JS) significantly over the wire, and browser caching means returning visitors re-download far less. Both are low-effort wins that improve real-world load time and Core Web Vitals.
Is it safe to add the security headers?
The included headers — nosniff, SAMEORIGIN frame options and a Referrer-Policy — are conservative and safe for most sites. SAMEORIGIN could block legitimate embedding of your pages in third-party iframes, so if you intentionally allow that, loosen X-Frame-Options accordingly.
This is one of several free SEO tools from Custom Web Audits.
For a complete, prioritized analysis of your whole website,
run a full audit.
