How to add Mime-Types using .htaccess

In case your web hosting account is not configured to server certain mime types with the proper content type. You can change this using .htaccess file.

For example if you need to configure your server to display ASX files:

AddType video/x-ms-asf asf asx

For windows media audio WMA

AddType audio/x-ms-wma .wma

A comprehensive list of mime-types can be found here

There is one more useful feature of the AddType directive. Most of you most probably know that Internet Explorer opens MS Word, Excell, PDF and some other files inside a browser window. To force the browser to download the file you can use AddType to change the document type:

AddType  application/octet-stream  .doc .xls .pdf

Enable CGI, SSI with .htaccess

As .htaccess is a powerful tool. It gives you option to change the way the webserver serves your files. On most web hosting servers you can use SSI (Server Side Includes) in shtml, or shtm files.

However, you need to use SSI in your .html and htm files. There is an easy solution for this.
Just add the following line in your .htaccess file:

AddHandler server-parsed .html .htm

This line will tell the server to parse your .htm file as SSI and execute any SSI directives you have there.

You can also use .htaccess to enable CGI scripts execution as well as change the default extension for such files as well.

For Perl/CGI scripts you will need:

AddHandler cgi-script .cgi .pl

To make PHP files to be parsed as PHP when PHP is running as module

AddType application/x-httpd-php .html .htm

To make PHP files to be parsed as PHP when PHP is running as CGI (suexec, etc)

AddHandler application/x-httpd-php .html .htm

301 Permanent redirects for parked domain names

If you have several domain names parked/pointed at your site it is a good idea to create permanent 301 redirect for them so for the search engines not to treat them as duplicate content.

Here is a sample .htaccess that will do that:

RewriteEngine on

RewriteCond %{HTTP_HOST} ^$ [OR]

RewriteCond %{HTTP_HOST} ^$

RewriteRule ^(.*)$$1 [R=301]

And even more generic solution would be:

RewriteEngine on

RewriteCond %{HTTP_HOST} !^$

RewriteRule ^(.*)$$1 [R=301]

Force SSL/https using .htaccess and mod_rewrite

Sometimes you may need to make sure that the user is browsing your site over securte connection. An easy to way to always redirect the user to secure connection (https://) can be accomplished with a .htaccess file containing the following lines:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$$1 [R,L]

Please, note that the .htaccess should be located in the web site main folder.

In case you wish to force HTTPS for a particular folder you can use:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} somefolder 
RewriteRule ^(.*)$$1 [R,L]

The .htaccess file should be placed in the folder where you need to force HTTPS.

Introduction to mod_rewrite and some basic examples

ModRewrite is a powerful feature of the Apache web server. It provides an easy way to modify/manipulate URLs. As complicated as it sounds a regular webmaster can benefit from this feature in many way. I will list here the ones I consider most useful for the regular webmaster.

Create easy to remember URLs or also known as COOL URIs, other call them Search Engine Friendly URLs. For example you have some complicated site driven by some server-side scripting language: PHP, Perl, etc. In general its URLs will look like

It is not easy to remember such URL.

Using ModRewrite you can make the URL look like:

Here is the code:
RewriteEngine On
RewriteRule ^([a-z]*)/([a-z]*)/([1-9]+)(-[1-9]+)? $$2&a=$3&page=$4&lang=$1 [L]

What the code does? It tries to match the requested URL against a regular expression string.
In case it finds a match it performs an internal rewrite. The user will never see the long URL in his browser.

Redirect URLs using .htaccess

Sometimes you need to redirect some URL and/or page on your site to another one.
The feature is very useful if you have recently redesigned your site but you wish to keep the old addresses working for various reasons (you have links to these pages from other sites, some users may have the old pages bookmarked, etc).

The Apache web server provides several way for setting up redirects.

The most simple one is using the “Redirect” directive:

Redirect /folder

With such a line in your .htaccess if a visitor tries to load, he will be redirected to

Recently it has been talked a lot about Permanent redirects. The good news is that you can add a status code to the Redirect directive. For example for Permanent 301 redirect you can use:

Redirect permanent /folder

Another useful directive is the RedirectMatch. With it you can use regular expressions in the redirect condition. For example

RedirectMatch "\.html$"

This will redirect all requests to files that end with .html to the index.php file.

There is another more powerful way to create redirects or even create transperant redirects which requires ModRewrite. We will talk about this in the next article.

Disable Hot-Linking of images and other files

A hot-linking is when some other site uses images hosted on yours. For example has some pretty nice images. Then decides that instead of hosting these images on their server, they can just link from their pages to the images hosted on site
Hot-linking usually is bandwidth and of course content stealing. The site will not pay for the traffic used as the image is being loaded from site

So it is a good practice to prevent images hot-linking:

You can prevent the hot-linking of your images by creating a .htaccess file with the following content:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www.)?*$ [NC]

RewriteRule \.(gif|jpe?g|png)$ - [F]

The above code will result in a broken image to be displayed when it is hot-linked.

The example above works for .gif,.jpg and .png files, but you can add any file extension.

If you place the .htaccess file in the main folder of your site it will disable hotlinking for all your site.

To block other type of files, just add their extension to the list above. For example to block movie files:

RewriteRule \.(mov|avi|wmv|mpe?g)$ - [F]

The Hot-Linking prevention is based on an Apache module called ModRewrite. So your web host should support it in order for you to be able to use these on your site.

We will be discussing ModRewrite in a separate topic.

Using .htaccess to block referrer spam

Lately referrer spam became a great annoyance for the webmasters. If you are not sure what referrer spam is you may wish to check this article:

To block these spam referrers you need the following lines in your .htaccess file:

# set the spam_ref variable
SetEnvIfNoCase Referer "^http://(www.)?" spam_ref=1

SetEnvIfNoCase Referer "^http://(www.)?" spam_ref=1

SetEnvIfNoCase Referer "^casino-poker" spam_ref=1

# block all referres that have spam_ref set
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=spam_ref

The first lines “setenvifnocase” assign a span_ref environment variable. Then we deny all access to such referrers in the FilesMatch clause.

You can also use wildcards with the above .htaccess directives to match a variety of hosts. For example, you can use

SetEnvIfNoCase Referer "*some_word*" spam_ref=1

to match all referrers that contain the word ‘some_word’.

For example you can ban visits from referral sites that contain in their domains words like: phentermine, viagra, cialis, shemale, porn, nude, celebrity, etc.

Using .htaccess for password protecting your folders

If you need to have certain areas (folders or files) of your web site protected you can use .htaccess and .htpasswd files to enable a basic user/pass protection.

The Apache web server provides a quick and easy way to protect a file or folder on your site.

The password protection depends on two files. The first one is the .htaccess file. It tells the webserver that viewing the file and/or folder requires authorization. The second file is the .htpasswd file it stores information about the users and their passwords. Its content will look similar to the following line:


The first part is the username, the second part of the line after the colon symbol is the password. The password is encrypted either using a modified version of MD5 or the system crypt() function.

Creation of the .htpasswd file is usually handled by the Apache htpasswd command line utility.
In case you do not have access to it on your server, you can use the following form to generate your .htpasswd file.

It is recommended that the .htpasswd file is located in a folder that is not accessible through the web. However most servers retrict acces to these files in their setup.

Once you have the .htpasswd file ready you need to create a file named .htaccess and place it in the folder you wish to have protected. The file should have the following lines

AuthType Basic
AuthUserFile "/home/username/path_to_htpasswd/.htpasswd"
AuthName “Enter valid username and password!”
require valid-user

The line AuthUserFile tells the web server where to look for the file containing the usernames which are allowed to access the folder.

The AuthName is what is printed in the user/prompt of the visitor’s browser.

Protecting a single file is a little tricky, you will need to add some more lines to the .htaccess file. Let’s say you wish to protect a file named “my-secret-file.html”. Then you will need to following .htaccess:

AuthType Basic
AuthUserFile "/home/username/path_to_htpasswd/.htpasswd"
AuthName "Enter valid username and password!"
<Files my-secret-file.html>
require valid-user

The .htaccess file should be located in the same folder where the my-secret-file.html is located.

How to change the error documents – 404 Page Not Found, etc

Using .htaccess file you can easily change the default error pages that are being served by your web server. To use .htaccess to modify your web site error pages your server needs to be configured with AllowOverride FileInfo. Most web hosting servers are configured in such a way so having a custom error page instead of the default ones is possible.

Using a custom error page give you an option to keep your visitors on your site. For example you can have a link to your main page or even your complete site navigation included in the error document. In this even if a user get an error page he/she will be able to navigate to your site main page or some other section of your site. A custom error page always look better than the simple default error pages served by the hosting server.

So for example, let’s start with most common error page. The 404 error page:

ErrorDocument 404 /notfound.html

The line above tells the webserver to use a file named missing.html as error document.
Please note, the leading slash. It tells the browser that this file is located in your web site root folder. In case you miss the slash the webserver will look for a missing.html in the current directory. In case you do not have such a file a default 404 page will be server with a message that an additional error has occurred while trying to find the missing.html file you have defined in your .htaccess file.

If you wish to keep your site structure clean and organized, you can create a folder on your website and keep all custom error pages there. For example you can create a folder named “errors” and place all pages that are going to be used as error handlers there. With a subdirectory your .htaccess file will look like

ErrorDocument 404 /errors/notfound.html

Please, note that the ErrorDocument directive can only be used with local file paths.
This means that you cannot define an error document using full URL, such as:

ErrorDocument 404

The above line is wrong and will not be woring at all.

Also, when using custom error pages with images, CSS files, javascript files and other linked documents it is always a good idea to use full URL to link to these external files as when an error occurs in a subfolder the relative links will not work. For example if you have:

<img src=”images/badpage.jpg”>

it will only be working well for your website main folder.

To have it working on all levels of your site, it should be either:

<img src=”/images/badpage.jpg”>


<img src=””>

Another issue you should have in mind is the strange behaviour of Internet Explorer with error documents that are smaller than 512 bytes. Such error documents will not work properly in Internet explorer. It will replace them with the default IE error page. This issue is known as “Show friendly HTTP error messages” bug in IE. So our advise is always to design your missing pages to be bigger than 512 bytes.

Similar issue can be encountered with error pages that are CGI or PHP scripts (running as CGIs). With some web server configuration a PHP script set as error document may not work properly on IE, unless you send a HTTP 200 response to the browser. (strange issue, but it is happening). Please, note that the issue is only with Internet Explorer. The pages are working fine with FireFox, Netscape and other browsers.

So, now let’s have an example with some more error codes:

ErrorDocument 500 /internal_error.html
ErrorDocument 401 /authorization_required.html
ErrorDocument 403 /forbidden.html

As you can see from the example the ErrorDocument uses a simple syntax:

ErrorDocument  <error_code>   <path_to_file>

Where <error_code> should be replaced with the HTTP error you should assign a custom error page and the <path_to_file> should be replaced with the path to your own custom error page.

Here it is list of some common HTTP error codes:

400 Bad Request
The server received a request it cannot handle due to bad syntax for example

401 Unauthorized
Such an error will show up in case a user did not supply a proper login credentials when using the .htaccess based user/pass protection

403 Forbidden
The request page is forbidden. Such an error shows up when you have a Deny from directive

404 Not Found
As the error message says the page that you have requested cannot be found on the server.

410 Gone
The requested page have been removed permanently

500 Internal Server Error
The server encountered an error. Usually such error messages show up with CGI scripts. Also you can get such an error message when you have bad syntax in your .htaccess file.

Complete list of HTTP response codes can be found here: