What is .htaccess?

Important Note: Do not edit the .htaccess file if you are using MS Frontpage! Frontpage uses the .htaccess file, and editing it may cause errors in your configuration.

The .htaccess file can be placed in one or more of your /home/$user/$domain-public_html subdirectories. Among other things, this file can be used to restrict access to other files and web pages.

When a request for a web page is made, the web server first checks for an .htaccess file. The server begins this check by looking for .htaccess in the root of the current web directory, and on down the directory tree until it reaches the directory where the requested file resides. Since the placement of the .htaccess file determines when it is executed, this fact can be used to restrict access only in certain subdirectories.


To create an .htaccess file, make a text file as described below, name it .htaccess and upload it.

Except for the first feature, described below, the following features will only work for a .htaccess file placed in /home/$user/$domain-public_html. Add all features you want to the same file.

Restricting Access: Password Protection
The directory you want protected must have a .htaccess file in it that looks like the following (do not put the comments in the actual .htaccess file [comments begin with #]):

AuthUserFile /home/$user/.passwd
AuthGroupFile /home/$user/.group
AuthName "Protected Space"
AuthType Basic

require group $users #users, is the group of users that you give access to
#require user $user #if there is only one user in the group, you can substitute this line; remove the #.

(Other possible groups are administrators, etc)

Groups and users are stored in the .group file, and passwords are stored in .passwd. The .htaccess file looks for these files in the /home/$user directory. Do not attempt to edit these manually!

Redirecting allows you to send the user to, for example, new.html when they attempt to access old.html. To see this example in practice, simply add the following line to the .htaccess file:

Redirect /$directory/old.html http://$domain.com/$directory/new.html

Error Documents
There are two main styles of error messages you may encounter. The first is the standard form, which looks something like:

File Not found

The requested URL http://$domain.com/file.html was not found on this server.

The second type comes in a variety of forms, and is customized by the webmaster. For example:


We're sorry, but the requested URL does not exist. Please e-mail support@$domain.com if you need further assistance.

Such messages are called error documents, and are web pages designed to give a polite explanation for error conditions. These error conditions generate numbers which are used to refer to the appropriate error condition. Some of the most common messages are as follows:

How to Customize Error Messages for Your Site:
First, create the HTML page you want to use as your error message.
Second, upload it to your web directory [/home/$user/$domain-public_html].
Third, go into your .htaccess file (or create one) and add lines which specify the substitution.

Here are three examples of specifying error documents which will be called for a given error condition (note you can use relative or absolute addressing):

Mime Types
You can add mime types to your .htaccess file with a line like:

AddType text/html .txt

Username and Password Restrictions
Usernames and passwords should be 5-8 letters long.

You will be grateful you chose a short password when you have to type it 20 times without seeing it.

Conversely, a one-letter password is pretty easy to crack.

Passwords are case-sensitive. User names may or may not be depending upon the application.

Do not use punctuation, for example Cr13:1-5. This is a bad idea for user names and passwords, but even more fatal for passwords.

Punctuation is particularly bad when you are initializing software and do not know whether some of its component tools do or do not accept punctuation. For example, UNIX accepts some punctuation but mySQL does not. The troubleshooting can be painful.

So, to save headaches later, use only alpha-numeric characters in user names and passwords.

.htaccess and FrontPage
If you're running FrontPage, you cannot custom-edit the .htaccess file. You'll either create a security hole or break FrontPage. There are no other options. This includes ANY .htaccess file in your domain, including one in the cgi-bin.

[Having said this, please note that a .htaccess file may be used in any directory within the web space that is not owned by the user; for example, a directory owned by root]

Additional Resources for .htaccess: