How to force HTTPS in a Laravel project?

Sometimes people don’t link to the secure (https) version of your site, this can be an old link or the user who placed the link is just lazy to add the extra character.

There are a few ways to redirect your HTTP website to an HTTPS connection. In this article, I’ve described the method for using Middleware.

The solutions mentioned below work on Laravel 5, 6, 7, and 8.

Force HTTPS with a Middleware

To force redirect a http url to https I use in some cases a middleware to handle the redirect. This is just a simple solution and don’t require a change to the server or nginx configuration.

You can make the middleware by running

 "PHP artisan make::middleware HttpsProtocolMiddleware," 

It will generate a file like below (or copy and paste this file in app/Http/Middleware/HttpsProtocolMiddleware.php).

This will check if the request is secure; it will redirect the user to the safe/HTTPS URL if it is not safe.

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\App;

class HttpsProtocolMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if (!$request->secure() && app()->environment('production')) {
            return redirect()->secure($request->getRequestUri());
        }

        return $next($request);
    }
}

In your HTTP Kernel (app/Http/Kernel.php) you can place the created middleware in the web group, which is applied to every request to your Laravel application.

protected $middlewareGroups = [
    'web' => [
       \App\Http\Middleware\EncryptCookies::class,
       \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
       \Illuminate\Session\Middleware\StartSession::class,
       //\Illuminate\Session\Middleware\AuthenticateSession::class,
       \Illuminate\View\Middleware\ShareErrorsFromSession::class,
       \App\Http\Middleware\VerifyCsrfToken::class,
       \Illuminate\Routing\Middleware\SubstituteBindings::class,
       \App\Http\Middleware\HttpsProtocolMiddleware::class
    ],

    'api' => [
        'throttle:60,1',
        'bindings',
    ],
];

But why don’t you just use \Illuminate\Support\Facades\URL::forceScheme(‘HTTPS’); ?

It’s a simple answer, this method doesn’t redirect the user to the secure version of your site, so the user still accesses the unsecured/HTTP version, it just forces Laravel to generate secure/HTTPS links.

Please be aware, when you use middleware for redirecting your HTTP to HTTPS, it will only work for your Laravel-routes.

So, any files that are not served via Laravel (for example, /js/app.js) will NOT be redirected to HTTPS because this is a static asset that is handled by your web server (apache or nginx) before it hits your Laravel application.

source: https://robindirksen.nl/blog/laravel-redirect-to-https-a-middleware-to-force-https

Leave a Comment