Keeping your Laravel application secure goes beyond authentication and validation. One important step is making sure every generated URL uses HTTPS, especially in production environments.
Laravel provides a simple solution for this with the URL::forceHttps() method.
By forcing HTTPS globally, your application ensures that links, redirects, and asset URLs always use secure connections. This helps prevent mixed content issues and improves overall application security.
Forcing HTTPS in Laravel
The simplest way to enforce HTTPS is by enabling it only in production:
URL::forceHttps($app->isProduction());You can also apply it to multiple environments like production and staging:
URL::forceHttps(
$app->environment(['production', 'staging'])
);This approach gives you flexibility while keeping local development environments unaffected.
Implementing a Secure URL Configuration
A common place to configure HTTPS enforcement is inside your AppServiceProvider.
Here’s an example setup with additional security improvements:
<?php
namespace App\Providers;
use Illuminate\Support\Facades\URL;
use Illuminate\Support\ServiceProvider;
class AppServiceProvider extends ServiceProvider
{
public function boot()
{
$this->configureSecureUrls();
}
protected function configureSecureUrls()
{
// Determine whether HTTPS should be enforced
$enforceHttps = $this->app->environment(['production', 'staging'])
&& !$this->app->runningUnitTests();
// Force HTTPS for generated URLs
URL::forceHttps($enforceHttps);
// Set HTTPS server variable
if ($enforceHttps) {
$this->app['request']->server->set('HTTPS', 'on');
}
// Apply security headers
if ($enforceHttps) {
$this->app['router']->pushMiddlewareToGroup('web', function ($request, $next) {
$response = $next($request);
return $response->withHeaders([
'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains',
'Content-Security-Policy' => 'upgrade-insecure-requests',
'X-Content-Type-Options' => 'nosniff',
]);
});
}
}
}Why HTTPS Enforcement Matters
Using HTTPS everywhere provides several important benefits:
Protects sensitive user data during transmission
Prevents browser mixed-content warnings
Improves trust and security posture
Enables modern browser security features
Helps maintain consistent URL generation across the application
Adding security headers like HSTS and CSP further strengthens your application's protection against common attacks and insecure resource loading.
Best Practices
When using forceHttps(), keep these recommendations in mind:
Only enable HTTPS enforcement in environments that support SSL
Avoid forcing HTTPS during automated tests
Configure your web server or load balancer correctly
Use trusted SSL certificates
Combine HTTPS enforcement with proper security headers
If your application runs behind a proxy or CDN, make sure Laravel trusts proxy headers correctly to avoid incorrect URL generation.
