Server & DevOps
.htaccess Security Generator
Generate a hardened Apache .htaccess: security headers (HSTS, X-Frame-Options, CSP), force-HTTPS and www rewrites, sensitive-file protection (.env, .git, wp-config.php), browser caching, gzip and bad-bot blocking — assembled with proper IfModule guards.
Loading tool…
Need reliable hosting, a domain, or a hand setting this up?
Get a free quote →About the .htaccess Security Generator
The .htaccess Security Header Generator builds a hardened Apache .htaccess boilerplate from simple checkboxes, so you get modern security headers without memorising directive syntax. Pick HSTS with your preferred max-age, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, a Permissions-Policy that blocks camera, microphone, and geolocation access, and an optional Content-Security-Policy line. Add a force-HTTPS rewrite, a www or non-www canonical redirect, directory listing protection, rules that block access to sensitive files like .env, .git, and wp-config.php, browser caching via mod_expires, gzip compression, and even a bad-bot blocker.
Every block is wrapped in the correct IfModule guard so the file degrades gracefully on any Apache 2.4 host, including typical cPanel shared hosting used widely in Cambodia. This free tool by Hosting Cambodia is aimed at web developers, WordPress site owners, and sysadmins in Phnom Penh, Siem Reap, and beyond who want an A rating on security header scanners without breaking their site. Assemble the file, copy or download it, upload it to your document root, and verify the headers in your browser's developer tools.
Frequently asked questions
Will this .htaccess file work on shared cPanel hosting?
Yes. It uses standard Apache 2.4 directives and wraps every section in IfModule guards, so if a module such as mod_headers or mod_expires is unavailable, that section is skipped instead of causing a 500 error. Almost all cPanel hosts enable these modules by default.
What does HSTS do and which max-age should I choose?
HSTS (Strict-Transport-Security) tells browsers to always connect over HTTPS, even if a user types http://. Start with 6 months if you are testing, then move to 1 or 2 years once you are confident every subdomain works over HTTPS, because browsers remember the setting for that entire duration.
Why should I block access to .env and wp-config.php?
Those files contain database passwords, API keys, and salts. If a misconfiguration ever causes Apache to serve them as plain text, attackers can take over your site and database. The generated FilesMatch rule denies all direct web requests to them while your application can still read them from disk.
Explore the full free web tools toolbox by Hosting Cambodia.