Keywords: Laravel | HTTPS | Middleware | Redirection | Cloudflare
Abstract: This article provides a comprehensive guide to enforcing HTTP to HTTPS redirection in Laravel 5 through middleware. Based on the highest-rated Stack Overflow answer, it covers middleware creation, registration, and configuration, with practical considerations for environment detection and proxy handling (e.g., Cloudflare). Alternative approaches like URL::forceScheme are compared, and trust proxy configurations for load balancers and reverse proxies are explained in detail, aiding developers in building secure HTTPS applications.
Introduction
With growing emphasis on web security, HTTPS has become a standard for modern web applications. In Laravel 5, the traditional filters approach has been replaced by middleware, offering a more flexible and modular solution for protocol redirection. Drawing from high-scoring Stack Overflow answers and community discussions, this article systematically explains how to implement forced HTTP to HTTPS redirection using middleware in Laravel 5.
Basic Middleware Implementation
Middleware is the ideal place to handle HTTP requests in Laravel 5. Below is a basic HttpsProtocol middleware that checks for non-secure requests and redirects to HTTPS:
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\App;
class HttpsProtocol
{
public function handle($request, Closure $next)
{
if (!$request->secure() && App::environment() === 'production') {
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
}
</code>This middleware first verifies if the current request is over HTTPS ($request->secure()). If not and the application environment is production, it uses redirect()->secure() to redirect to the HTTPS version of the same path. Environment detection prevents unnecessary redirections in development, enhancing efficiency.
Middleware Registration and Configuration
After creating the middleware, it must be registered in app/Http/Kernel.php. Registration methods vary by Laravel version:
Laravel 5.0-5.2
Add the middleware to the $middleware array:
protected $middleware = [
// Other default middleware
'App\Http\Middleware\HttpsProtocol',
];
</code>Laravel 5.3+
It is recommended to add the middleware to the web middleware group, which applies to all web routes by default:
protected $middlewareGroups = [
'web' => [
// Other default middleware
\App\Http\Middleware\HttpsProtocol::class,
],
];
</code>This grouping ensures the middleware only affects web routes, without interfering with APIs or other routes.
Handling Proxy Environments like Cloudflare
When using Cloudflare or other reverse proxies, the server receives HTTP requests, but clients access via HTTPS. This can cause redirect loops because $request->secure() may not correctly identify the protocol. The solution is to configure trusted proxies:
public function handle($request, Closure $next)
{
$request->setTrustedProxies([$request->getClientIp()], \Illuminate\Http\Request::HEADER_X_FORWARDED_ALL);
if (!$request->secure() && App::environment() === 'production') {
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
</code>The setTrustedProxies method instructs Laravel to trust the X-Forwarded-Proto header from proxies, enabling accurate protocol detection.
Alternative Approach: URL::forceScheme
Besides middleware redirection, Laravel offers the URL::forceScheme('https') method. This does not redirect requests but ensures all generated URLs (e.g., via route() or url() helpers) use HTTPS. It is typically called in the boot method of AppServiceProvider:
public function boot()
{
if (App::environment('production')) {
\Illuminate\Support\Facades\URL::forceScheme('https');
}
}
</code>Note that forceScheme only affects URL generation and does not handle actual request redirection. Thus, it is often combined with the middleware approach for comprehensive HTTPS enforcement.
Environment-Specific Configuration
While enforcing HTTPS in production, maintaining flexibility in development is crucial. Using App::environment() to detect environments avoids redirection issues locally. For example:
if (!$request->secure() && (App::environment() === 'production' || App::environment() === 'staging')) {
return redirect()->secure($request->getRequestUri());
}
</code>This configuration allows HTTPS in testing environments (e.g., staging) while keeping HTTP in development (local).
Route-Level HTTPS Enforcement
In earlier Laravel versions, specific routes could be forced to use HTTPS via route options:
Route::post('/login', ['uses' => 'AuthController@login', 'https' => true]);
</code>However, this method is deprecated in Laravel 5 as it does not affect URL generation, and middleware provides a more unified solution.
Conclusion
Implementing HTTP to HTTPS redirection via custom middleware is the best practice in Laravel 5. Combined with environment detection and proxy trust configuration, it adapts to various deployment scenarios. While URL::forceScheme supplements URL generation, middleware ensures request-level security redirection. Developers should choose the appropriate method based on specific needs or combine them for full HTTPS enforcement.