Step-1

Create .htaccess_prepend file (or really any file name, that will later be used in composer.json file)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# =======================================================================
# HTACCESS PREPENE START

<IfModule LiteSpeed>
    CacheDisable public /
    CacheDisable private /
</IfModule>

# HTACCESS PREPEND END
# =======================================================================

Step-2

Add the following in composer.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

{ 
    "name": "XXX",
    "description": "XXX",
    "type": "project",
    "license": "GPL-2.0-or-later",
    "homepage": "https://www.example.com"
    ...
    ...
    "extra": {
        "drupal-scaffold": {
+           "locations": {
+               "web-root": "./"
+           },
+           "file-mapping": {
+               "[web-root]/.htaccess": {"prepend":"./.htaccess_prepend"}
+           }
        },
        "installer-paths": {
            "core": ["type:drupal-core"],
            "libraries/{$name}":["type:drupal-library"],
            ...
     ...
     ...
}

Step-3

Then when you run any composer related command, such as composer update, composer install, the composer will automatically append the .htaccess_prepend in to the “head” of the .htaccess:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

public_html@$ composer update
                 Loading composer repositories with package information
                 Updating dependencies
                 Lock file operations: 0 installs, 32 updates, 0 removals
                 ...
                 Generating autoload files
                 Hardening vendor directory with .htaccess and web.config files.
                 46 packages you are using are looking for funding.
                 Use the `composer fund` command to find out more!
                 Scaffolding files for drupal/legacy-project:
                   - Prepend to [web-root]/.htaccess from ./.htaccess_prepend
                 Cleaning installed packages.
                 Found 4 security vulnerability advisories affecting 2 packages.
                 Run "composer audit" for a full list of advisories.

public_html@$ head -n 20 .htaccess
             	# =======================================================================
                # HTACCESS PREPENE START

                <IfModule LiteSpeed>
                    CacheDisable public /
                    CacheDisable private /
                </IfModule>

                # HTACCESS PREPEND END
                # =======================================================================

                # Protect files and directories from prying eyes.
                <FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
                  <IfModule mod_authz_core.c>
                    Require all denied
                  </IfModule>