Apache .htaccess Inspector
Analyze .htaccess files for security issues, validate rewrite rules, and detect common misconfigurations
Enter your Apache .htaccess configuration to analyze for security issues and misconfigurations
What is the Apache .htaccess Inspector?
The Apache .htaccess Inspector is a client-side tool that analyzes your Apache configuration files for security vulnerabilities, rewrite rule issues, missing protections, and deprecated directives. It calculates a security score and provides actionable recommendations to harden your server configuration before deployment.
How to Use
- Paste your .htaccess file content into the input area
- Click "Analyze" or wait for automatic processing
- Review findings with severity ratings (Critical, High, Medium, Low)
- Check recommendations for fixing detected issues
- Export a full report in JSON or Markdown format
Example: Common Security Issues
This configuration has several issues the inspector will detect:
Options +Indexes
RewriteRule ^(.*)$ /index.php
php_flag display_errors On
Order deny,allow
Deny from allWhat Issues Are Detected?
- Directory listing enabled — Options +Indexes exposes file structure to attackers
- Sensitive file exposure — Missing protection for .env, .git, wp-config.php
- Missing security headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Invalid rewrite regex — Broken patterns that cause 500 errors
- Missing RewriteEngine On — Rewrite rules silently ignored without it
- Missing rewrite flags — Rules without [L], [R], or other necessary flags
- Deprecated directives — Order/Allow/Deny replaced by Require in Apache 2.4+
- PHP information disclosure — display_errors exposing internal details
- Protocol downgrade — Redirecting from HTTPS to HTTP URLs
- Overly broad patterns — Catch-all regex matching all requests
Apache .htaccess Best Practices
- Always disable directory listing with Options -Indexes
- Protect sensitive files (.env, .git, .htpasswd) with FilesMatch blocks
- Set security headers using mod_headers in an IfModule block
- Use Require directives instead of deprecated Order/Allow/Deny
- Always include [L] flag on RewriteRule to stop rule processing
- Enable RewriteEngine On before any RewriteRule directives
- Force HTTPS with RewriteCond and a 301 redirect
- Test with
apachectl configtestbefore deploying changes
Privacy and Security
All analysis happens entirely in your browser using JavaScript. Your .htaccess configuration — which may contain internal paths, IP restrictions, and authentication settings — is never transmitted to any server. No data is stored, logged, or shared.
Frequently Asked Questions
What does the Apache .htaccess Inspector check?
The .htaccess Inspector analyzes your Apache configuration for security issues including exposed directory listings, missing security headers, sensitive file exposure (.env, .git), invalid RewriteRule regex patterns, missing rewrite flags, deprecated directives (Order/Allow/Deny), PHP information disclosure (display_errors), and redirect issues like HTTP downgrades. It calculates a security score and provides actionable fix recommendations.
What is the most common .htaccess security mistake?
The most common mistake is leaving directory listing enabled (Options +Indexes), which exposes your file structure to anyone who navigates to a directory without an index file. Another frequent issue is not protecting sensitive files like .env (which contains database credentials and API keys) and .git directories (which expose source code and commit history).
Why are Order/Allow/Deny flagged as deprecated?
The Order, Allow, and Deny directives were replaced by the 'Require' directive in Apache 2.4 (released in 2012). While they still work with mod_access_compat for backward compatibility, the new syntax is clearer and less error-prone. Replace 'Order deny,allow / Deny from all' with 'Require all denied', and 'Allow from 192.168.1.0/24' with 'Require ip 192.168.1.0/24'.
Why does the tool flag missing RewriteEngine On?
Apache ignores all RewriteRule and RewriteCond directives unless RewriteEngine is explicitly turned on. If you have rewrite rules but forgot 'RewriteEngine On', they will silently do nothing. This is a common issue when copying rewrite rules between servers or when the directive was accidentally removed.
What RewriteRule flags should I use?
Common Apache RewriteRule flags: [L] stops processing further rules (similar to 'break' in Nginx), [R=301] sends a permanent redirect, [R=302] sends a temporary redirect, [NC] makes the pattern case-insensitive, [QSA] appends query strings, [F] returns 403 Forbidden, and [NE] prevents encoding of special characters. Always include [L] to prevent unexpected rule chaining.
How do I protect sensitive files in .htaccess?
Use FilesMatch to deny access to sensitive files: '<FilesMatch "^\.(env|git|htpasswd)"> Require all denied </FilesMatch>'. For directories like .git, use 'RedirectMatch 404 /\.git' to return a 404. You can also use RewriteRule with [F] flag: 'RewriteRule ^\.(env|git) - [F,L]'.
What security headers should I set in .htaccess?
Essential security headers to set via .htaccess: X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy (controls URL leakage), and Strict-Transport-Security (enforces HTTPS). Add them with 'Header always set' directives inside an '<IfModule mod_headers.c>' block.
Is my .htaccess content sent to a server?
No. All analysis happens entirely in your browser using JavaScript. Your .htaccess configuration — which may contain internal paths, IP restrictions, and authentication details — is never transmitted to any server. No data is stored, logged, or shared.
What is the difference between Redirect and RewriteRule?
Redirect is simpler — it matches exact URL prefixes and sends an HTTP redirect response to the client. RewriteRule uses regex patterns and can perform internal URL rewrites (the client never sees the real path) or external redirects. Use Redirect for simple path changes, and RewriteRule when you need pattern matching, conditional logic (RewriteCond), or internal rewrites.