In today’s web applications, security is a top priority. In this article, titled “laravel 12 force redirect http to https”, we’ll see how using HTTPS instead of HTTP ensures data encryption, user trust, and better SEO rankings.
If your Laravel 12 application is still accessible via http:, you should force redirect all traffic to https:. In this Laravel 12 force redirect HTTP to HTTPS tutorial, we’ll cover different ways to set up HTTP to HTTPS redirection in Laravel 12. You’ll learn:
- Server-level redirects (nginx, Apache)
- Laravel application enforcement (AppServiceProvider, custom middleware)
Prerequisites
Before applying these methods, make sure you have:
- An active SSL/TLS certificate on your server
- A Laravel project with access to server config (nginx/Apache)
- Knowledge of your environments: local, staging, production
Methods to Force Redirect HTTP to HTTPS in Laravel 12
1. Using .htaccess (Apache Server)
If you are using Apache, you can force HTTPS by updating the .htaccess file inside the public/ directory.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
.htaccess
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Send Requests To Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
This will redirect all HTTP requests to HTTPS with a permanent (301) redirect.
Read Also : Laravel 12 Install and Configure Laravel Debugbar
2. Using Nginx Configuration
Performing redirects at the web server minimizes PHP overhead and covers static assets. For Nginx servers, update your site configuration file:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
- Use 301 for permanent SEO-friendly redirects.
- Ensure only one redirect hop to avoid chains.
Restart Nginx after saving changes:
sudo systemctl restart nginx
3. Using Middleware in Laravel
Laravel allows you to create a middleware to redirect all HTTP requests to HTTPS. This is a simple way to redirect all Http to Https without any change in server or nginx configuration.
Step 1: Create Middleware
Run the command below to create a middleware. This will generate the file at app/Http/Middleware/ForceHttpsMiddleware.php
php artisan make:middleware ForceHttpsMiddleware
Step 2: Update Middleware (app/Http/Middleware/ForceHttpsMiddleware.php)
Open the ForceHttpsMiddleware.php middleware and add the following code. In this code, we check whether the request is using HTTPS with the $request->secure() method (which returns true or false). In this code we are verifying the app environment with app()->environment([‘staging’, ‘production’]). If the request is not secure and the environment is either staging or production, the user will be redirected instead of seeing the requested page.
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class ForceHttpsMiddleware
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
if (!$request->secure() && app()->environment(['staging', 'production'])) {
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
}
Step 3: Register Middleware (bootstrap/app.php)
Instead of app/Http/Kernel.php to register middleware, you need to register the middleware in bootstrap/app.php (from Laravel 11 or above version). Open app.php and add this line of code $middleware->append(\App\Http\Middleware\ForceHttpsMiddleware::class); inside the withMiddleware() method:
<?php
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Http\Middleware\TrustProxies;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__.'/../routes/web.php',
commands: __DIR__.'/../routes/console.php',
health: '/up',
)
->withMiddleware(function (Middleware $middleware) {
$middleware->append(\App\Http\Middleware\ForceHttpsMiddleware::class);
})
->withExceptions(function (Exceptions $exceptions) {
//
})->create();
This middleware will apply on all routes of your application. Now, every HTTP request will be redirected to HTTPS. But why we do not using \Illuminate\Support\Facades\URL::forceScheme(‘https’); ? because this method only generates secure https links ,It will not redirect user to secure version of your side , it .
4. Using AppServiceProvider
Another quick way is by forcing HTTPS scheme globally. Update app/Providers/AppServiceProvider.php:
use Illuminate\Support\Facades\URL;
public function boot(): void
{
// for production
URL::forceHttps($this->app->isProduction());
// for stagging or production
URL::forceHttps($this->app->environment(['staging', 'production']));
}
This method ensures that all URLs generated in Laravel is https. Do not forget to import Illuminate\Support\Facades\URL; otherwise get an error.
The choice between methods depends on your deployment environment, performance requirements, and level of control needed.
5. Best Practices
Remember always test the application on staging environment before applying changes to production.
- Redirect only after SSL is properly installed.
- Check for mixed content issues (http assets inside https page).
- Use 301 permanent redirect for SEO benefits.
Conclusion
In this article, we learned how to force redirect HTTP to HTTPS in Laravel 12 using:
- .htaccess (Apache)
- Nginx configuration
- Laravel Middleware
- AppServiceProvider
By enforcing HTTPS, you’ll keep your application secure, improve trust, and boost SEO rankings.