Allow Single URL Through .htaccess Password Protection

This code is useful for multi environment setups (staging, production, etc.) it allows you to keep your htaccess files in sync while maintaining an htpasswd on your development environment or anything but the live environment.

#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI "/testing_uri$" test_uri

#allows everything if its on a certain host
SetEnvIf HOST "^" testing_url
SetEnvIf HOST "^" live_url
Order Deny,Allow

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user

#Allow valid-user
Deny from all
Allow from env=test_uri
Allow from env=testing_url
Allow from env=live_url
Satisfy any


  1. Fugazer

    I found your .htaccess setup to be pretty good, but I found it more useful to allow from all then deny from staging.

    Below is the reverse of what your have in this article.

    Keep up the great work!

    #-- Staging Server Password -------------------------#
    SetEnvIf Host passreq
    AuthType Basic
    AuthName "Staging Server"
    AuthUserFile /home/username/.htpasswd
    AuthGroupFile /home/username/.htgroup
    Require valid-user
    Order allow,deny
    Allow from all
    Deny from env=passreq
    Satisfy any

    • pattikay
      Permalink to comment#

      Thank you for the code above.

      In addition, thank you Fugazer for the script above ! Worked like a charm.

  2. Braulio
    Permalink to comment#

    I am trying to do something similar, thought I’m not sure if it’s possible. I have an images directory on my server and I would like the images to be accessed only by one of my php pages, preventing hotlinking and direct access. For instance:

    containing the files: 001.jpg / 002.jpg / etc

    to view file 001.jpg

    Any ideas of how should I configure my htaccess file?
    PS: I don’t know if it’s important since you are using REQUEST_URI, but I have multiple domains on my server (ex. and

  3. George
    Permalink to comment#

    Yep, thats exactly what I am searching for since sunday. hotlinking from one server only to only one single url.
    @BRAULIO did you find a solution ??

  4. NobodyCares
    Permalink to comment#

    May try if these suggestions works for you George

    About midway through the page is a section about hotlinking images.

    Seemed to help my site from getting hotlinked any further.

  5. Nathaniel
    Permalink to comment#

    I am going through the book digging into wordpress and I copied and pasted the index.php file to the root and made the adjustments accordingly … I then checked the settings in the admin dash …

    I forgot to include the .htaccess file though … I looked for it … and didnt find it in the core files … so I made one with s .htaccess software … but when I went to refresh the page … I kept getting a log in prompt just to view the home page … or make changes in the dash … how do I include the .htaccess without having to “log in” everysingle time?

  6. Tom

    Many thanks for this article.

    My idea was to restrict access to all pages in my website, except for those pages of which the URL starts with “/admin”. Therefore, I modified the above example to the following:

    # We set some variables, matching URL's for which we do not wish to active
    # the password protection
    SetEnvIf Request_URI "^/admin.*$" AdminUri
    # Setup the password protection
    AuthName "Theo - Password protected"
    AuthType Basic
    AuthUserFile ./.htpasswd
    Require valid-user
    # Add the exceptions for matched URL's
    Order Deny,Allow
    Deny from all
    Allow from env=AdminUri
    Satisfy any

    Now, pages with “/admin…” URL’s are working fine without password, and other pages require authentication first. However, after having entered the password, I get an internal server error (500).

    Could anyone please help me out here? :)

    Many thanks! Keep up the good work…

  7. megasteve4
    Permalink to comment#

    This article was also really helpful for me – lots of examples similar to the above

  8. Jeff
    Permalink to comment#

    I went with Fugazer’s example but thanks for the article and help.

  9. Marc
    Permalink to comment#

    Really useful article thanks!
    I’m IP filtering a site currently but I need to allow my RSS feeds to go through or rather not to be IPfiltered.
    Is there a way I can create a rule in htaccess to filter all except feeds?


  10. Jeremy Quinton
    Permalink to comment#

    Just something worth mentioning. If you use the example above but then are also doing rewriting everything to an index.php which is the case with some php frameworks the above does not work. Im not sure exactly why but I thought it worth mentioning.

    • Francis Villanueva
      Permalink to comment#


      It does work with PHP frameworks that use .htaccess for URL rewrites. You just have to make sure this logic is above where you’re doing your rewriting for index.php.

      For example, the following password protects a certain URL (/admin), but allows it work with out a password if it matches my local host name:

      SetEnvIf Request_URI ^/admin$ PROTECTED_HOST
      SetEnvIf HOST ^local\.mywebsite\.com\.?(:80)?$ ALLOWED_HOST
      # Auth stuff
      AuthName "My website Admin"
      AuthType Basic
      AuthUserFile /path/to/.htpasswd
      AuthGroupFile /dev/null
      Require valid-user
      #Allow valid-user
      Order Deny,Allow
      Deny from all
      Satisfy any
      Allow from env=!PROTECTED_HOST
      Allow from env=ALLOWED_HOST
      <IfModule mod_rewrite.c>
          <IfModule mod_negotiation.c>
              Options -MultiViews
          RewriteEngine On
          # Redirect Trailing Slashes...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteRule ^(.*)/$ /$1 [L,R=301]
          # Handle Front Controller...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteRule ^ index.php [L]

Leave a Comment

Posting Code

We highly encourage you to post problematic HTML/CSS/JavaScript over on CodePen and include the link in your post. It's much easier to see, understand, and help with when you do that.

Markdown is supported, so you can write inline code like `<div>this</div>` or multiline blocks of code in in triple backtick fences like this:

  function example() {
    element.innerHTML = "<div>code</div>";

We have a pretty good* newsletter.