Have a Question?


Change HTTP header settings using .htaccess file

You are here:
< All topics
Table of contents

First step, if you do not already have a .htaccess file created in the root directory of the affected domain name document. To do this, refer to the following:

How to create .htaccess file?

If the file already exists, you can edit it as described below:

What is the http header?

The HTTP header is part of an HTTP request or response. This determines the operating parameters of the HTTP transaction. For more information, see the following link:

List of HTTP header fields

The .htaccess file can be used to modify or complement the HTTP response header.

Charset header

The .htaccess file can use the following to force the header of a given content type. The charset header specifies the document’s character encoding. You can add the header without the meta tag:

<IfModule mod_headers.c>
    AddDefaultCharset UTF-8
    AddDefaultCharset ISO-8859-2

Content-language header

In the .htaccess file, you can set a language header as follows. You can add the header without the meta tag:

<IfModule mod_headers.c>
    DefaultLanguage hu-hu

Cache-Control header

Cache-Control is one of the most common headers used for websites. This determines how long the file is stored in your browser

For example, if you set 5 minutes in the Cache-Control header, the visitor’s browser downloads the page and then caches it for 5 minutes. After 5 minutes, the page must be retrieved from the server.

For example:

In the following example, we set the web page to be stored for 5 minutes by visitors browsers.

<IfModule mod_headers.c>
    Header set Cache-Control "max-age=300, public"


max-age is set in seconds.

The caching policy may be “public”, “private” or “no-store”.

Use ‘Vary’ HTTP headers for mobile pages

The following Google article describes the use of Vary headers for mobile pages:



Content-Security-Policy header helps reduce XSS risks. For more details, see the following pages:

Strict-Transport-Security (HSTS)

Specifies that browsers will only communicate over HTTP instead of HTTPS. For more details, see the following pages:

Enable the following content in the .htaccess file:

<IfModule mod_headers.c>
    Header add Strict-Transport-Security "max-age=31415926;includeSubDomains;"

You can testing the following command:

curl -I https://example.com

The output looks like this:

[server]$ curl -I https://example.com
HTTP/1.1 200 OK
Date: Tue, 05 Jun 2018 20:05:52 GMT
Server: Apache
Last-Modified: Tue, 05 Jun 2018 16:26:52 GMT
ETag: "2f9-56de78493cbc8"
Accept-Ranges: bytes
Content-Length: 761
Strict-Transport-Security: max-age=31415926;includeSubDomains;
Content-Type: text/html

The command output shows the Strict-Transport-Security header

Was this article helpful?
0 out Of 5 Stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we correct this article?
Please submit the reason for your vote so that we can improve the article.
Next How to change my document root folder using an .htaccess file?