How do I enable HTTPS for Laravel?

Enabling HTTPS in Laravel Applications

At HostingDuty, we ensure all Laravel applications we host are secured with HTTPS by default. Enabling HTTPS requires two distinct layers: server-level SSL configuration and application-level enforcement.

Server-Level SSL Configuration

Before Laravel can serve HTTPS traffic, your web server must have a valid SSL certificate installed. For Nginx servers, this involves configuring the ssl_certificate and ssl_certificate_key directives in your server block. Apache users should configure the SSLCertificateFile and SSLCertificateKeyFile directives within their virtual host configuration.

Once the certificate is installed, your server must listen on port 443 for HTTPS traffic. The web server configuration must route all HTTPS requests to your Laravel application's public directory, just as HTTP traffic is routed to port 80.

Application-Level HTTPS Enforcement

Laravel provides built-in mechanisms to enforce HTTPS at the application level. The most common approach is to update your APP_URL environment variable in the .env file to use the https:// protocol:

`` APP_URL=https://yourdomain.com `

After updating this value, you must ensure the ForceHttps middleware is active. This middleware can be added to your app/Http/Kernel.php file in the $middlewareGroups array under the web group:

`php 'web' => [ // ... \App\Http\Middleware\ForceHttps::class, ], `

Alternatively, you can use Laravel's built-in App\Http\Middleware\TrustProxies middleware in conjunction with the FORCE_HTTPS environment variable set to true.

SSL Certificate Management

HostingDuty provides automated SSL certificate management through Let's Encrypt integration for all our hosting plans. This eliminates manual certificate renewal concerns. For self-managed SSL certificates, you must handle renewal processes manually or through automation tools like Certbot.

Common Pitfalls

A frequent issue occurs when Laravel's URL generation functions create HTTP links despite HTTPS being enabled. This happens when the APP_URL variable doesn't match the actual protocol being used. Always verify that your APP_URL` matches your deployment environment's protocol.

Another common problem involves mixed content warnings in browsers. These occur when your application loads HTTP resources (images, scripts, stylesheets) on HTTPS pages. Ensure all asset URLs use protocol-relative URLs or HTTPS explicitly.

For detailed configuration examples, see our Nginx SSL configuration guide and Apache SSL setup tutorial. Additional information on SSL certificate management is available in our SSL certificate FAQ. For understanding HTTPS fundamentals, refer to our HTTPS glossary entry.