Apache web servers offer a flexible way to control the server settings by using .htaccess file. This tiny is being read and translated by apache before serving the actual web pages or files. Here is a list of a few simple and useful .htaccess commands.

Changing the default index file

DirectoryIndex index.html

This code changes the default index file. An index file is the first page that will be loaded up hen visiting mywebsite.com or even mywebsite/foo/. In this case visiting mywebsite.com will load up mywebsite.com/index.html.

DirectoryIndex index.html index.php index.htm

You can also give a list of options such as shown in the snipper above. This command will search for index.html, index.php and index.htm in the exact order. If you have index.php and index.html sitting on the same folder, the one that will be loaded is index.html.

Custom error pages

ErrorDocument 404 errors/404.html

You may want to display a custom error message in cases a server error. The snippet above will redirect the error code on the left to the page on the right. I suggest using a static page for the error documents to avoid causing indefinite loop or an error causing an error.
For ease of use I have listed the other client errors below.

• 400 Bad Request
• 401 Unauthorized
• 402 Payment Required
• 403 Forbidden
• 404 Not Found
• 405 Method Not Allowed
• 406 Not Acceptable
• 407 Proxy Authentication Required
• 408 Request Timeout
• 409 Conflict
• 410 Gone
• 411 Length Required
• 412 Precondition Failed
• 413 Request Entity Too Large
• 414 Request-URI Too Long
• 415 Unsupported Media Type
• 416 Requested Range Not Satisfiable
• 417 Expectation Failed
• 418 I’m a teapot
• 422 Unprocessable Entity (WebDAV) (RFC 4918)
• 423 Locked (WebDAV) (RFC 4918)
• 424 Failed Dependency (WebDAV) (RFC 4918)
• 425 Unordered Collection (RFC 3648)
• 444 No Response
• 426 Upgrade Required (RFC 2817)
• 449 Retry With
• 450 Blocked by Windows Parental Controls
• 499 Client Closed Request

Error code 418 (I’m a teapot) is a test error and will be extremely rare to have since it is not part of the official distribution.

Restrict Access

deny from all

The snippet above is the most famous way to restrict access on folders used by programmers. It plainly tells the server to block everyone from reading the files on the same directory level of the .htaccess file and everything on its subfolders.

order deny,allow
deny from all
allow from 192.168.0.0/24
# this would do the same thing..
#allow from 192.168.0

You can also give selective access to files. Pay attention to the order clause, it tells the server to apply the deny rules and then apply the allow rules. Writing the order in reverse will translate into “allow access to 192.168.0.* and then block everyone including the allowed IP range.” 192.168.0.0/24 is a wildcard and is equal to the range 192.168.0.0 – 192.168.0.255.

order allow,deny
deny from 192.168.0.1
allow from all

This code snippet simply blocks 192.168.0.1 and allows access to everyone. Notice the order of allow then deny.

Redirection “Permanently Moved”

Redirect 301 /old/foo.html http://yourdomain.com/new/foo.html

This is the safest way to redirect and tells the search engines and even your browser that the new address for /old/foo.html is /new/foo.html, the requirements for this kind of redirect is that you need to give the full URL of the old file excluding the domain info and the full URL of the new location on the right. You can also redirect to a new domain and search engines will remember this.

HTTP to HTTPS

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This code forces all http connection to load the https version of the site (example foobar.com will load up as https://foobar.com). As an alternative, you can check for port number.

Non WWW to WWW

RewriteEngine On
RewriteCond %{HTTP_HOST} ^foobar\.net$
RewriteRule (.*) http://www.foobar.net/$1 [R=301,L]

You can also force everyone to use the www.version of your website. This is important for those webhosting that maps www.foobar.com and foobar.com into different folders. A good webhosting should make www subdomain as a webmask or alias of the main domain. This will also save you from domain restriction problems in your flash files when someone visits http://foobar.com instead of the expected http://www.foobar.com. The extra www in front of the domain name triggers cross domain scripting on flash files.

Prevent Directory Listing

Options -Indexes

The snippets above prevents directory listing.

IndexIgnore *.zip *.txt

You can also do a selective listing like the snippet above which exclude all zip files and text files from being shown. The wildcard character * is supported as a filename.

IndexIgnore *

Using * as a parameter effectively prevent listing of all files and the snippet above will act as if no files are present on the folder. The first example displays a forbidden error.

Modify Upload Specifications

php_value upload_max_filesize 20M
php_value post_max_size 20M
php_value max_execution_time 200
php_value max_input_time 200

The above code changes the default values used by php file uploads. This may cause server error 500 if you are not allowed to change them which is the case 75% of the time.

The list is still pretty long and I have only listed the safe one that you can use.