Sometimes people don't link to the secure (https) version of your site, this can be an old link or the user who placed the link is just lazy to add the extra character.

There are a few ways to redirect you HTTP website to a HTTPS connection. In this article I've described the method for using a Middleware.

In this post I explain how you can force HTTPS with the following methodes:

  • Laravel Middleware
  • nginx (preferred)
  • .htaccess
  • Cloudflare

Force HTTPS with a Middleware

"Middleware provide a convenient mechanism for filtering HTTP requests entering your application." (source

To force redirect a http url to https I use in some cases a middleware to handle the redirect. This is just a simple solution and don't require a change to the server or nginx configuration.

You can make the middleware by running "php artisan make:middleware HttpsProtocolMiddleware" and it will generate a file like below (or just copy and paste this file in app/Http/Middleware/HttpsProtocolMiddleware.php). This will check if the request is secure, if it is not secure, it will redirect the user to the secure/https URL.

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\App;

class HttpsProtocolMiddleware
     * Handle an incoming request.
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
    public function handle($request, Closure $next)
        if (!$request->secure() && App::environment() == 'production') {
            return redirect()->secure($request->getRequestUri());

        return $next($request);

In your HTTP Kernel (app/Http/Kernel.php) you can place the created middleware in the web group, which is applied to every request to your Laravel application.

protected $middlewareGroups = [
    'web' => [

    'api' => [

But why don't you just use \Illuminate\Support\Facades\URL::forceScheme('https'); ? It's a simple answer, this method don't redirect the user to the secure version of your site, so the user still access the unsecure/http version, it just force Laravel to generate secure/https links.

Please be aware, when you use a middleware for redirecting your HTTP to HTTPS, it will only work for your Laravel-routes. So any files that are not served via Laravel (for example, /js/app.js) will NOT be redirected to HTTPS because this is a static asset that is handled by your webserver (apache or nginx) before it hits your Laravel application.

Force HTTPS with nginx

To force your HTTP website to be redirected to HTTPS, you can force it by changing your nginx configuration.

In the following example, I've used (and the alias) as the domain to redirect to HTTPS using nginx.

server {
    listen 80;
    listen [::]:80;
    return 301$request_uri;

What this does is listening on port 80 (HTTP traffic) and redirect all traffic to & to the new HTTPS-URL,*.

Based on the $request_uri parameter, nginx will redirect the user to its original URL but then the HTTPS version.

Force HTTPS with .htaccess

Via a .htaccess file it's possible to redirect all your HTTP requests to HTTPS. It's just a few lines of code, that will check if the request is not HTTPS, if so, it will be redirected to the HTTPS version of your application.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Force HTTPS with Cloudflare

When you have Cloudflare in front of your site, then you can enable the "redirect all traffic to HTTPS" feature within Cloudflare's dashboard.

To force all traffic to HTTPS, enable the "Always use HTTPS" feature within the Edge Certificates tab of the Cloudflare SSL/TLS app or via the Page Rules app.

More information can be found on Cloudflare support website where they wrote an article for SSL related questions.

Robin Dirksen

Robin Dirksen

On my blog, you can find articles that I've found useful or wanted to share with anyone else.

If you want to know more about this article or just want to talk to me, don't hesitate to reach out.