By Greg Nowak. Last updated 2026-07-06.
URLs such as /index.html and /index.php usually point to the same content as the directory root. That sounds harmless until the same page is crawled, linked, reported, and shared under several different addresses. For a business owner, operations lead, or agency team, the result is not just an SEO detail. It makes campaign reporting less tidy, complicates migration checks, and creates avoidable questions during a redesign or CMS handover.
The practical fix is to choose one public version of each URL and redirect every duplicate version to it. For most sites that means HTTPS, one preferred host, and no visible default document in the address bar. The useful part is not the rewrite trick itself; it is the discipline of making every non-canonical request land on the final URL in one hop.
Decide the canonical URL before writing rules
Start with the final public address you want users, search engines, analytics, and internal teams to see. Pick either the apex host, such as example.com, or the www host. Pick HTTPS unless there is a very specific legacy reason not to. Then remove explicit default documents such as /index.html and /index.php from public-facing links.
Do not run separate rule sets that each fix one small thing if they create a chain such as HTTP to HTTPS, then www to non-www, then /index.php to /. A good rule sends the messy version straight to the chosen final version.
| Situation | Best place to handle it | Why it matters |
|---|---|---|
| You control the Apache virtual host | Use a port 80 virtual host redirect for HTTP to HTTPS | Cleaner, faster, and easier to audit than doing everything in .htaccess |
| You only have hosting panel or FTP access | Use document-root .htaccess rules | Practical for shared hosting and smaller legacy sites |
| The site sits behind a load balancer | Check the trusted forwarded protocol header | Apache may not know the original browser request used HTTPS |
| The site uses HTTP certificate validation | Exempt the ACME challenge path or handle it in the HTTP vhost | Certificate renewal must not be broken by a blanket redirect |
A practical .htaccess pattern
If you only have access to .htaccess, this pattern handles explicit index files first, then canonicalizes everything else to HTTPS and the non-www host. Replace example.com with your real domain. This assumes the rules live in the document-root .htaccess.
<IfModule mod_rewrite.c>
RewriteEngine On
# Send explicit index files straight to the final canonical URL
RewriteCond %{THE_REQUEST} \s/+(.*/)?index\.(html|php)([\s?]|$) [NC]
RewriteRule ^(.*/)?index\.(html|php)$ https://example.com/$1 [NC,R=301,L]
# Canonicalize everything else to HTTPS + non-www
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC,OR]
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
</IfModule>If your chosen canonical host is www.example.com, swap the target host and change the host condition accordingly. Do not enable both directions. One domain should win, and every other variant should point to it.
Why this pattern is safer
The first rule uses THE_REQUEST, which represents the original request line sent by the browser. That matters because many PHP applications and CMSs internally route requests through an index file. You normally want to redirect only when the visitor actually requested /index.php or /index.html, not when the application uses one internally.
The rule target does not define a new query string, so Apache keeps the original query string by default. That means a request such as /folder/index.html?utm_source=test redirects to the clean folder URL while preserving the campaign parameter. If you ever need to discard a query string deliberately, use the appropriate query-string flag rather than relying on accidental behavior.
A permanent 301 redirect is still the normal choice for a long-term canonical move. Google treats server-side redirects as a strong canonicalization signal, but redirects are only one part of the job. Your internal links, XML sitemap, canonical tags, hreflang references, paid campaign URLs, and reporting dashboards should all use the same final URLs.
When server config is better than .htaccess
If you manage the Apache virtual host, move simple HTTP-to-HTTPS redirects into the port 80 virtual host. Apache's own guidance prefers a dedicated redirect there for that case, with mod_rewrite reserved for situations where you need conditions or you are limited to .htaccess.
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent "/" "https://example.com/"
</VirtualHost>You may still keep a small path-level rule for removing explicit index files, especially on older sites where historical backlinks point to those URLs. The aim is maintainability: a future developer, SEO consultant, or agency partner should understand the redirect policy without reverse-engineering six overlapping snippets.
Two deployment checks that prevent surprises
First, check proxy behavior. If TLS terminates at a load balancer or reverse proxy before the request reaches Apache, %{HTTPS} may report off even for a browser request that started as HTTPS. In that setup, check a forwarded protocol header only if your proxy overwrites it on every request and direct backend access is blocked or tightly controlled.
RewriteCond %{HTTP:X-Forwarded-Proto} =http [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]Second, do not break certificate renewals. If your ACME client needs HTTP validation, make sure /.well-known/acme-challenge/ is exempted before a blanket HTTPS redirect, or handle that exception in the port 80 virtual host.
Test the map, then clean up the site
After release, test the variants that people and crawlers are likely to hit:
curl -IL 'http://www.example.com/'
curl -IL 'http://example.com/index.php'
curl -IL 'https://www.example.com/folder/index.html?utm_source=test'You want one permanent redirect to the final canonical URL, followed by a 200. If you see two or three hops, revisit rule order and host conditions. Then update internal links, sitemaps, canonical tags, and campaign templates so the site stops generating the old URLs itself.
This is a small piece of infrastructure work, but it is exactly the kind of cleanup that makes a migration, SEO audit, or agency handover smoother. If you want a second pair of eyes on redirect rules, canonical signals, or a broader migration checklist, Greg can help turn the rules into a clear, low-risk plan.
Related on GrN.dk
- AI Crawler Control for Business Websites: Protect Content Without Sacrificing Search Visibility
- AI disclosure rules belong in the CMS, not a spreadsheet
- Cloudflare Page Rules Debt: The Quiet Way Business Websites Break
Need help with this kind of work?
Talk to Greg about canonical redirects Get in touch with Greg.