Kirby htaccess rules - MOVED TO KIRBY SECRETS

With Kirby comes a great htaccess file. There is often no need to change it that much, but there are some things missing.

  • GZIP compression
  • Browser caching
  • Redirect from http to https and www to non www

Do you miss more things? Add an issue or a pull request.

# protect this .htaccess file

<files .htaccess>
  order allow,deny
  deny from all

# directory browsing disabled

Options All -Indexes

# keep header control

<IfModule mod_headers.c>
  Header set Connection keep-alive
  Header append Cache-Control "public"

# allow .htpasswd in sub-dirs

ErrorDocument 401 default

# disable auto-indexing of my (C.V.) pdf file

<Files ~ "\.pdf$">
  Header set X-Robots-Tag "noindex, nofollow"

That’s my .htaccess (along with Kirbys and your code).


i am using this in addition to kirbys htaccess code. etags, gzip, deflate.

FileETag MTime Size
<ifmodule mod_expires.c>
  <filesmatch "\.(jpg|gif|png|css|js)$">
       ExpiresActive on
       ExpiresDefault "access plus 1 year"

Header unset ETag
FileETag None

# mod_gzip compression (legacy, Apache 1.3)
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|xml|txt|css|js)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*


# DEFLATE compression
<IfModule mod_deflate.c>
# Set compression for: html,txt,xml,js,css
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css     application/x-javascript
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/
# Deactivate compression for buggy browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
# Set header information for proxies
Header append Vary User-Agent
1 Like

Kirby comes with basic rules, because everybody wants something else.
If you’re going to pimp your htaccess, please look at something decent like the h5bp boilerplate htaccess.


That was exactly what I was looking for. Thanks for submitting these, @jenstornell .

1 Like

Thank you, @jenstornell and @1n3JgKl9pQ6cUMrW for sharing your ideas on .htaccess! I tried to adapt the kirby default .htaccess with your—also inspired by h5bp—setups.

# Kirby .htaccess

# disable apaches's server signature
ServerSignature Off

# set defaul charset for html & text
AddDefaultCharset utf-8

# set default index document
DirectoryIndex index.php

# set default error document
ErrorDocument 404 /error

<IfModule mod_access_compat.c>
    # restrict access to .git* & .ht* files
    <Files ~ "^\.(git|ht).*">
        Deny from all
        Satisfy all

<IfModule mod_autoindex.c>
    # block access to directories without default index document
    Options -Indexes

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteBase /

    # force https
    RewriteCond %{HTTPS} !=on
    RewriteCond %{ENV:HTTPS} !=on
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

    # block text files in the content folder from being accessed directly
    RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

    # block all files in the site folder from being accessed directly
    RewriteRule ^site/(.*) index.php [L]

    # block direct access to kirby and the panel sources
    RewriteRule ^(kirby|panel\/app|panel\/tests)/(.*) index.php [L]

    # make panel links work
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^panel/(.*) panel/index.php [L]

    # make site links work
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*) index.php [L]

    # prevent hacks
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*) index.php [F,L]

<IfModule mod_filter.c>
    # compress all output of application type
    AddOutputFilterByType DEFLATE "application/javascript" "application/rss+xml" "application/x-font-ttf" \
                                  "application/x-javascript" "application/xhtml+xml" "application/xml"

    # compress all output of font type
    AddOutputFilterByType DEFLATE "font/eot" "font/opentype"

    # compress all output of image type
    AddOutputFilterByType DEFLATE "image/svg+xml" "image/x-icon"

    # compress all output of text type
    AddOutputFilterByType DEFLATE "text/css" "text/html" "text/javascript" "text/plain" "text/xml"

<IfModule mod_headers.c>
    # serve more than just one file at a time
    Header set Connection keep-alive

    # prevent browsers from MIME-sniffing the response
    Header set X-Content-Type-Options "nosniff"

    # remove the "X-Powered-By" response header
    Header unset X-Powered-By

    # allow cross-origin access to web fonts
    <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
        Header set Access-Control-Allow-Origin "*"

<IfModule mod_mime.c>
    # set defaul charset for some media types
    AddCharset utf-8 .css .js .rss .xml

    # set default encoding type for svgz
    AddEncoding gzip svgz

I’m looking at all my repos and try to improve them.

I wonder if Kirby Htaccess Rules should be merged with Kirby Secrets or continue to be standalone. What do you think?

  • Keep them apart
  • Merge them
  • Not sure

0 voters

1 Like

Most of you that voted want me to merge Kirby Htaccess Rules into Kirby Secrets and I agree. Now I’ve copied 3/4 rules to Kirby Secrets.


I removed one rule that are already in the official docs:

I will shut down Kirby Htaccess Rules in about a month, give you some time to adapt.

Thanks for your votes! :slight_smile:

1 Like

Just a quick note that @jenstornell has completed the move of Kirby Htaccess Rules over to the Kirby Secrets wiki.

1 Like

Now the repo has been deleted and you can find all the information here instead: