.htaccess

The .htaccess file format originated with the NCSA HTTPd server, where it was introduced to let shared-hosting users control access to their own directories without modifying the server-wide configuration. When the Apache HTTP Server project was founded in 1995 as a continuation of NCSA HTTPd, it retained the format and filename for compatibility.^[3] Other web servers, including Oracle iPlanet Web Server and the Zeus Web Server, later added .htaccess support even though their native configuration formats differ substantially.

.htaccess files use a subset of the Apache HTTP Server directive syntax, which is the same format as the server's main httpd.conf configuration file.^[4] Directives are plain-text instructions, one per line, that Apache interprets on each request.

Some directives—particularly those provided by mod_rewrite—accept regular expressions using PCRE syntax. PCRE is used only within those specific directives (such as RewriteRule and RewriteCond); it is not a property of the .htaccess format itself.

For historical reasons the format is recognized by servers such as Oracle iPlanet Web Server^[5] and Zeus Web Server, even though those servers use different native configuration formats.

Authorization and authentication

A .htaccess file commonly restricts access to a directory. It is often paired with a .htpasswd file that stores usernames and password hashes.^[6]

URL rewriting

Servers use .htaccess with mod_rewrite to rewrite long or complex URLs to shorter, more readable forms.

Access control

The Allow and Deny directives (or Require in Apache 2.4) restrict access by IP address, domain, or other criteria, and can block unwanted bots or referrers.

Server-side includes

The Options +Includes directive enables server-side include processing for a directory.

Directory listing

The Options directive controls whether the server generates an automatic index when no default document is present.

Custom error responses

The ErrorDocument directive maps HTTP error codes—such as 404 Not Found or 301 Moved Permanently—to custom pages.^[7]

MIME types

The AddType directive instructs Apache how to serve files with non-standard or missing extensions.

Cache control

.htaccess files can set Cache-Control and Expires headers via mod_headers or mod_expires, reducing bandwidth use and server load.^[8]

HTTPS and HSTS

Enforcing HTTPS on Apache typically requires RewriteRule directives and Header directives in .htaccess. Syntax errors in these rules can cause failed redirects or broken HSTS deployment.

Immediate effect

Because .htaccess files are read on every request, changes take effect immediately—unlike the main server configuration, which requires a server restart.

Non-privileged users

On shared web hosting servers, .htaccess allows individual users to adjust their own directory configuration without access to the server's main configuration files.^[9]

Using the main server configuration file httpd.conf^[10] is generally preferred for performance and security reasons:^[11]

Performance

Each HTTP request causes Apache to check for .htaccess files in the requested directory and every parent directory where overrides are permitted. On high-traffic servers this adds measurable filesystem overhead. Directives can be migrated from .htaccess to httpd.conf to eliminate this cost.^[12]

Security

Allowing users to modify server configuration can introduce security issues if the permitted directives are not carefully restricted.^[13]

Syntax sensitivity

Apache will return a server error (typically 500) for the entire directory if the .htaccess file contains a syntax error, making all resources in that directory inaccessible.

• Semantic URL
• Rewrite engine
• httpd.conf