What is the difference between 301 and 302 redirects?

A 301 is a permanent redirect — search engines transfer ranking signals to the new URL and update their index. A 302 is temporary — search engines keep the original URL in their index. Use 301 for permanent moves, 302 only for genuinely temporary situations like maintenance or A/B tests.

Why does the generator wrap rewrite rules in ?

Wrapping rewrite directives in means the file won't break Apache if mod_rewrite isn't loaded. Apache will simply skip the block. Most production hosts have mod_rewrite enabled, but the wrapper makes the file safer to ship across environments.

100% browser-based · verified Apache 2.4 output

.htaccess Generator — 301 Redirects, Rewrites & Apache Rules

Q: Where do I put the .htaccess file?

Place the file in the document root of your site (commonly public_html, www, or htdocs). Rules apply to that directory and below. You can place additional .htaccess files in subdirectories to override or add rules for that subtree. The filename must be exactly .htaccess (leading dot, no extension), saved as plain text without a BOM.

Q: Why use Require ip instead of Order/Allow/Deny?

The Order/Allow/Deny syntax is the legacy Apache 2.2 access control. Apache 2.4 replaced it with the Require directive (mod_authz_core) — the modern, recommended approach. This generator emits Apache 2.4 syntax. If you're stuck on 2.2, use the equivalent Allow/Deny rules instead.

Q: What flags can I use on a RewriteRule?

Common flags: R=301/302/307/308 (set redirect status), L (last — stop processing if matched), NC (no case — case-insensitive), QSA (query string append — pass original query through), F (forbidden, returns 403), G (gone, returns 410), NE (no escape), and PT (pass through). Combine with commas, e.g. [R=301,L,QSA].

Q: How do I redirect both with and without trailing slashes?

Pick one canonical form and redirect the other to it. To force a trailing slash on directory-style URLs (and skip real files): RewriteCond %{REQUEST_FILENAME} !-f / RewriteCond %{REQUEST_FILENAME} !-d / RewriteRule ^(.*[^/])$ /$1/ [R=301,L]. To strip trailing slashes: RewriteCond %{REQUEST_FILENAME} !-d / RewriteRule ^(.+)/$ /$1 [R=301,L].

Q: Will my redirects affect SEO?

Yes — and almost always for the better when done correctly. Use 301 for permanent moves, redirect each old URL to its closest equivalent (don't dump everything to the homepage), keep redirect chains short (ideally one hop), and test with tools like httpstatus.io after deploying.

Q: What's the difference between Redirect and RewriteRule?

Redirect (mod_alias) is simpler — it matches an exact path prefix and supports basic status codes. RewriteRule (mod_rewrite) is more powerful — it understands regex, conditional logic via RewriteCond, and flags like NC, QSA, F, G. Use Redirect for simple one-off moves; use RewriteRule for patterns or anything conditional.

Pick the sections you need, fill in the blanks, and get a copy-paste ready .htaccess file. Redirects, HTTPS & www canonicalization, security headers, IP blocking, hotlink protection, caching, compression — all rendered as clean, verified Apache directives.

Always back up your existing .htaccess before replacing it. Test the new rules on a staging site first — a single bad directive can take a site down with a 500 error.

Redirects Per-page redirects with regex, prefix, or exact match

Bulk redirects Paste a long list of old → new pairs

Status code

Format

One per line. Separate with whitespace, ->, =>, or comma. Lines starting with # are ignored.

Pairs

Domain redirect Move an entire domain to another

Old domain

Domain only — no protocol, no path.

New domain

Where users should land instead.

Target protocol

Status code

Match subdomains too Catches foo.olddomain.com as well as www.olddomain.com

HTTPS, www & trailing slash Pick the canonical URL form for your site

HTTPS

Issues a 301 from any http:// request to its https:// equivalent.

www handling

Pick one canonical host so search engines don't see two sites.

Trailing slash

Real files and existing directories are skipped automatically.

Security headers Modern HTTP response headers

HSTS Force HTTPS via Strict-Transport-Security X-Content-Type-Options Block MIME-sniffing (nosniff) X-Frame-Options Prevent clickjacking by disallowing iframes Referrer-Policy Control what's sent in the Referer header Permissions-Policy Disable browser APIs you don't use Content-Security-Policy Restrict where scripts/styles can load from

HSTS max-age (seconds)

31 536 000 = 1 year (recommended).

X-Frame-Options value

HSTS includeSubDomains

Only enable subdomains if every subdomain serves HTTPS.

HSTS preload

Only enable if you've registered with hstspreload.org and accept the irreversibility.

Referrer-Policy value

Permissions-Policy value

Comma-separated feature directives.

Content-Security-Policy value

Tip: start in report-only mode using a separate Content-Security-Policy-Report-Only header, then promote when stable.

Access control & blocking IPs, user agents, referrers, hotlinking

Block IPs (one per line, CIDR allowed)

Allow only these IPs (deny all others)

If you fill this in, every IP not on the list is denied. Be sure to include your own.

Block user agents

Substring match, case-insensitive. One token per line.

Block referrers

Hotlink protection Stop other sites from embedding your images, fonts, and other static assets

Your domain

Requests with a Referer matching this host (and its subdomains) are allowed.

Protected extensions

Pipe-separated regex group.

When hotlinked

Replacement / redirect URL

Caching & compression Browser caching with mod_expires, GZIP with mod_deflate

Browser caching ExpiresByType rules for HTML, CSS, JS, images, fonts GZIP compression Compress text, JS, CSS, JSON, SVG, fonts

HTML expiration

CSS & JS expiration

Image expiration

Font expiration

Error pages & custom directives ErrorDocument and free-form passthrough

Custom error pages

Format: STATUS PATH per line.

Custom directives

Lines are appended at the very end of the file.

.htaccess

Lines

Bytes

0 B

Sections

Status

Ready

Example

From a few clicks to production-ready Apache

Toggle on the sections you need, fill in the inputs, and the right-hand panel writes itself.

Inputs

# Redirect /old-page → /new-page (301)
# Redirect /products.php → /products (301, query preserved)
# Force HTTPS, strip www.
# HSTS 1 year, X-Content-Type-Options nosniff
# GZIP on, browser caching on

Generated .htaccess


  RewriteEngine On

  # Force HTTPS
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  # Redirect www to non-www
  RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  RewriteRule ^(.*)$ https://%1/$1 [R=301,L]


Redirect 301 /old-page /new-page


  RewriteRule ^products\.php$ /products [R=301,L,QSA]



  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always set X-Content-Type-Options "nosniff"



  AddOutputFilterByType DEFLATE text/html text/css application/javascript

Use cases

Built for migrations, launches & hardening

The same workflow whether you're moving 10 URLs or rolling out HSTS for the first time.

Site migrations

Generate the dozens of 301 redirects you need when restructuring URLs, switching CMSes, or moving from example.com/blog to blog.example.com.

HTTPS & canonical hosts

Force HTTPS, pick the canonical www/non-www form, and stop search engines from seeing two copies of every page.

Security hardening

Ship modern security headers — HSTS, Content-Type-Options, Frame-Options, Referrer-Policy, Permissions-Policy, and a starter CSP — in one go.

Bot & abuse mitigation

Block specific IPs and CIDR ranges, deny scraping bots by user agent, kill referrer spam, and stop other sites from hotlinking your images.

Performance polish

Long-lived cache headers for assets, GZIP for text, and a friendly default that scores well in PageSpeed Insights without hand-rolling Apache directives.

Drop-in operations

Custom ErrorDocument pages, Options -Indexes, and any extra directives you want appended verbatim.

Step by step

How to use the .htaccess generator

From an empty form to a deployed file in under five minutes.

Pick the sections you need

Each card has a master switch. Toggle on the parts that apply — redirects, canonicalization, security headers, etc. — and leave the rest alone.

Fill in the fields

For redirects, specify a source path and destination URL per row. Choose exact, prefix, or regex match. For domain moves, fill in old and new hostnames.

Generate

Click Generate .htaccess. The right-hand editor fills with a complete, formatted file. Stats show line count, byte size, and how many sections are enabled.

Test on staging

Copy the file to a staging server first. Hit a couple of the redirected URLs in a private window with a tool like curl -I to verify status codes. Watch the Apache error log for syntax issues.

Deploy to production

Back up the existing .htaccess, replace it, and verify. If anything breaks, restore the backup. The generated file uses <IfModule> guards so missing modules won't crash Apache.

FAQ

Frequently asked questions

Everything worth knowing before you ship a new .htaccess.

What's the difference between 301 and 302 redirects?

301 = permanent. Search engines transfer ranking signals to the new URL and update their index. Browsers cache aggressively. Use this for actual moves.

302 = temporary. Search engines keep the old URL in their index. Browsers don't cache the redirect. Use this only when the original URL will return.

307 & 308 are the modern equivalents that explicitly preserve the HTTP method. Use them for API endpoints and form-POST flows where dropping POST data would be a bug.

Where does the .htaccess file go?

In the document root of your site (commonly public_html, www, or htdocs). Rules apply to that directory and everything below it.

You can drop additional .htaccess files in subdirectories — those override or add to the parent rules for their subtree only.

The filename must be exactly .htaccess (leading dot, no extension) and saved as plain text without a UTF-8 BOM.

Why are rewrite rules wrapped in <IfModule mod_rewrite.c>?

If mod_rewrite isn't loaded on the server, an unwrapped RewriteEngine directive causes a 500 error. The <IfModule> guard makes Apache skip the block silently in that case. Same idea for mod_headers.c, mod_expires.c, and mod_deflate.c.

Most production hosts have these enabled, but the wrapper makes the file safe to ship across environments.

Why use Require ip instead of Order/Allow/Deny?

Order/Allow/Deny is the legacy Apache 2.2 syntax (mod_access_compat). Apache 2.4 replaced it with the Require directive (mod_authz_core) — the modern, recommended approach.

This generator emits the 2.4 syntax. If you must support 2.2, the equivalent is:

Require ip 1.2.3.4 ↔ Allow from 1.2.3.4
Require not ip 1.2.3.4 ↔ Deny from 1.2.3.4

What flags can I use on a RewriteRule?

R=301/302/307/308 — return the given redirect status
L — last rule, stop processing if matched
NC — no case (case-insensitive match)
QSA — query string append (pass the original query through)
F — forbidden, returns 403
G — gone, returns 410
NE — no escape (don't URL-encode the substitution)
PT — pass through (let other Apache modules see the rewritten URL)

Combine with commas: [R=301,L,QSA].

How do I redirect both with and without trailing slashes?

Pick a canonical form and redirect the other to it. The generator does this for you under HTTPS, www & trailing slash → Trailing slash.

To add the slash (skipping real files and directories):

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*[^/])$ /$1/ [R=301,L]

To remove it (skipping real directories):

RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ /$1 [R=301,L]

Will my redirects affect SEO?

Almost always for the better — when done correctly. Best practices:

Use 301 for permanent moves so PageRank flows through.
Map each old URL to its closest new equivalent — don't dump everything to the homepage.
Keep redirect chains short. Ideally one hop, never more than three.
Test with curl -I or a tool like httpstatus.io after deployment.
Leave redirects in place for at least a year so external links continue to work.

What's the difference between Redirect and RewriteRule?

Redirect (mod_alias) is the simple form. It matches an exact path prefix and supports basic status codes:

Redirect 301 /old-page /new-page

RewriteRule (mod_rewrite) is the powerful form. It understands regex, supports conditional logic via RewriteCond, and accepts flags like NC, QSA, F, G:

RewriteRule ^old/(.*)$ /new/$1 [R=301,L,QSA]

This generator uses Redirect for simple exact-match redirects and switches to RewriteRule automatically when you choose prefix or regex matching, or enable case-insensitive / query-preserving flags.

About

About `.htaccess`

An .htaccess file lets you tweak Apache's behavior on a per-directory basis without restarting the server. It's a plain text file containing a sequence of directives the same shape Apache reads from its main config (httpd.conf / apache2.conf).

What it can do

Rewrite & redirect URLs (mod_rewrite, mod_alias)
Set HTTP response headers (mod_headers) — security headers, caching, custom headers
Cache control via Expires headers (mod_expires)
Compression with GZIP and Brotli (mod_deflate, mod_brotli)
Access control by IP, user agent, or referrer (mod_authz_core, mod_rewrite)
Custom error pages (ErrorDocument)
MIME types, directory indexes, password protection, and more

What it can't do

Run on Nginx, Caddy, IIS, or anything that isn't Apache. (Translate the rules manually.)
Bypass server-level security restrictions — your host can disable specific directives via AllowOverride.
Magically make a slow site fast. Caching and compression help, but they're not a substitute for trimming page weight.

Performance considerations

Apache reads .htaccess on every request that touches the directory. For high-traffic sites the recommended pattern is to put the same rules into the main server config (where they're read once at startup) and disable .htaccess with AllowOverride None. For typical shared hosting, .htaccess is the right tool for the job.

Common pitfalls

Redirect loops — make sure your conditions don't match the destination URL.
Hidden 500s — a single typo brings the directory down. Always test on staging first.
Order matters — rules execute top to bottom. Put canonical-host redirects (HTTPS, www) before per-page redirects.
BOMs and CRLF endings — save as plain ASCII/UTF-8 with Unix line endings to avoid mysterious failures.

.htaccess Generator — 301 Redirects, Rewrites & Apache Rules

From a few clicks to production-ready Apache

Built for migrations, launches & hardening

Site migrations

HTTPS & canonical hosts

Security hardening

Bot & abuse mitigation

Performance polish

Drop-in operations

How to use the .htaccess generator

Pick the sections you need

Fill in the fields

Generate

Test on staging

Deploy to production

Frequently asked questions

About .htaccess

What it can do

What it can't do

Performance considerations

Common pitfalls

About `.htaccess`