Laravel: how to force HTTPS?

Question

I'm starting to develop a new big app, and I'm using Laravel this time, and it's the first time.

I need to force HTTPS for all pages, it's not important if from code or by .htaccess, but I'm not able to find a simple tutorial.

The official docs dosn't speak about this problem.

For info, my acutal .htaccess is

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ /$1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

My question is specific to Laravel 5, because I ve no idea on where and how modify this .htaccess file. And also I'am asking you if this is the right way for Laravel or if Laravel has something specific to setup to handle HTTPs.

So please do not close my question and try to be more adherent to the Laravel specific topic.

If you can post a simple way to modify this file AND/OR What to modify in Laravel config to properly handle https.

But in short yes, I want to force every call to transit on HTTPS.

Possible duplicate of [Force SSL/https using .htaccess and mod\_rewrite](http://stackoverflow.com/questions/4398951/force-ssl-https-using-htaccess-and-mod-rewrite) — Sandeesh, May 16 '17 at 16:32
Whoever down voted this? Sandeesh this is specific to the laravel htaccess, you need to have your rules written in a manner that they do not conflict with the "Laravel front controller". — zeros-and-ones, Jan 05 '18 at 18:06
"My question is specific to Laravel 5" - Although, if you are looking for an `.htaccess` solution then this isn't specific to Laravel. If it's specific to anything, it's specific to the _server_ and how the SSL cert is managed (eg. SSL proxy etc.). Also, your canonical hostname (www vs non-www) and whether you want to implement HSTS can also determine how this is implemented. If using `.htaccess` then the same principles apply to all apps that make use of `.htaccess`... WordPress, Joomla, Drupal, etc. etc. _Generally_, an HTTP to HTTPS redirect needs to go at the top of your `.htaccess` file. — MrWhite, Sep 10 '20 at 16:47

score 35 · Accepted Answer · edited Dec 14 '18 at 08:17

35

You need adding this to your .htaccess file:

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://YOURWEBSITEDOMAIN/$1 [R,L]

See this: http://www.inmotionhosting.com/support/website/ssl/how-to-force-https-using-the-htaccess-file

edited Dec 14 '18 at 08:17

Community

1
1

answered May 16 '17 at 16:03

Mortada Jafar

3,529
1
18
33

Where? And Laravel doesn't it need some specific config? – realtebo May 16 '17 at 21:54
1

With "Where ?" I mean: in which point of my .htaccess? And also, could is it better your code or the one of the answer of Pandhi Bhaumik? – realtebo May 17 '17 at 10:33
1

@realtebo before last tag it's mean : () and i used this code for my site – Mortada Jafar May 17 '17 at 15:26
Great answer! sorted me like a charm – Magige Daniel Apr 16 '18 at 08:43
1

"before last tag it's mean : (``)" - This is incorrect. If you put this rule at the end, "before the last tag", it will only get processed for requests to static resources. Your URLs that get routed through Laravel won't be redirected. This rule needs to go near the _top_ of the file (logically, after the `RewriteEngine On` directive). – MrWhite Sep 10 '20 at 12:39

score 26 · Answer 2 · answered May 16 '17 at 16:00

26

Try adding this code in your .htaccess file.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

answered May 16 '17 at 16:00

Bhaumik Pandhi

2,655
2
21
38

Where? And does Laravel need some specific config? – realtebo May 16 '17 at 21:55
1

You need to add it in .htaccess file, no Laravel don't need specific config. – Bhaumik Pandhi May 16 '17 at 22:20
1

also: is it better your code or the code from the answer of Mortadda Jafar? – realtebo May 17 '17 at 10:34
1

@realtebo _This_ is arguably the better solution, although you probably won't notice any difference, except that the other code uses a 302 (temporary) redirect, as opposed to a 301 (permanent) redirect. An HTTP to HTTPS redirect should be a 301. This code uses a more efficient regex and does not reply on a capturing backreference to the `RewriteRule` _pattern_, so will work without alteration in more situations (other directories, server config, etc.). It also redirects to the same hostname - a requirement if implementing HSTS - but _could_ result in an unnecessary additional redirect if not. – MrWhite Sep 10 '20 at 17:00
1

the best one i tried! thanks @BhaumikPandhi – Bekti Galan Apr 12 '23 at 07:43

score 5 · Answer 3 · edited Sep 09 '20 at 18:24

5

When you want to Render all URLs with https the simplest method is to use the code below in the boot() function of app/Providers/AppServiceProvider.php:

\URL::forceScheme('https');

edited Sep 09 '20 at 18:24

MrWhite

43,179
8
60
84

answered Dec 17 '18 at 17:07

Amitesh Bharti

14,264
6
62
62

1

Not work for me – shazim ali Sep 27 '21 at 07:15
@shazimali in the latest version this may be got change, try this https://robindirksen.com/blog/laravel-redirect-to-https-a-middleware-to-force-https – Amitesh Bharti Oct 06 '21 at 12:02

Sandeesh · Answer 4 · 2017-06-06T09:18:00.443

3

You could try searching here first. There's tons of questions for the same issue with answers.

https://stackoverflow.com/a/4399158/5892849

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

edited Jun 06 '17 at 09:18

answered May 16 '17 at 16:33

Sandeesh

11,486
3
31
42

Sorry but I want something specific for Laravel setup. – realtebo May 16 '17 at 21:54

score 3 · Answer 5 · edited Nov 27 '19 at 13:47

Change your domain in .htaccess by:

RewriteCond %{HTTP_HOST} mydomain.com [NC]

RewriteRule ^(.*)$ https://mydomain/$1 [R,L]

<IfModule mod_rewrite.c>
  <IfModule mod_negotiation.c>
      Options -MultiViews
  </IfModule>

  RewriteEngine On

  # Added to Force HTTPS
  RewriteCond %{HTTP_HOST} mydomain\.com [NC]
  RewriteCond %{SERVER_PORT} 80
  RewriteRule ^(.*)$ https://mydomain/$1 [R,L]

  # Redirect Trailing Slashes If Not A Folder...
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)/$ /$1 [L,R=301]

  # Handle Front Controller...
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^ index.php [L]

  # Handle Authorization Header
  RewriteCond %{HTTP:Authorization} .
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

score 3 · Answer 6 · answered Jun 04 '19 at 18:43

3

Add this to the boot method in AppServiceProvider

if($this->app->environment('production'))
{
   $this->app['request']->server->set('HTTPS','on');
}

answered Jun 04 '19 at 18:43

Manford Benjamin

277
4
5

Nothing changed when this was added.. (laravel 8) – trainoasis Mar 31 '21 at 06:10

score 1 · Answer 7 · edited Sep 10 '20 at 15:06

1

This worked for me

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule ^(.*)$ public/$1 [L]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} !^public [L,R=301]
</IfModule>

edited Sep 10 '20 at 15:06

HynekS

2,738
1
19
34

answered Nov 12 '17 at 21:49

kelvin

51
7

The last `RewriteRule` directive is malformed and cannot possibly work as intended (it will trigger a 500 error due to incorrect flags). The directives are also in the wrong order. – MrWhite Sep 09 '20 at 18:31

score 1 · Answer 8 · answered Oct 28 '19 at 15:31

This worked for me:

# Check if HTTPS is enabled
#RewriteCond %{HTTPS} ^on$ [NC]
#RewriteCond %{QUERY_STRING} !https-is-on [NC]
#RewriteRule (.*) /?https-is-on [R,L]

# Redirect all HTTP to HTTPS requests
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

# Remove index.php from the url
RewriteCond %{THE_REQUEST} ^GET.*index\.php [NC]
RewriteRule (.*?)index\.php/*(.*) /$1$2 [R=301,NE,L]

score 0 · Answer 9 · edited Jun 04 '19 at 18:45

0

Try changing the "APP_URL" in the .env file from

APP_URL = http://example.com

to

APP_URL = https://example.com

edited Jun 04 '19 at 18:45

Zoe

27,060
21
118
148

answered Jan 07 '19 at 05:53

Jeybin George

448
2
8

1

This does not force https, one can still visit on http:// ... – trainoasis Mar 31 '21 at 06:06

score 0 · Answer 10 · answered Feb 26 '20 at 20:34

This is my config, with other configs from the topic I had a cyclic redirect.

(also redirects www to without www)

RewriteEngine On



RewriteBase /
#redirect from www to non-www(https)
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

What exactly are you trying to fix/achieve? What is this configuration for? — Frank Yucheng Gu, Feb 26 '20 at 23:35
You would only use these directives if you are behind an SSL proxy - this is not mentioned in the question. — MrWhite, Sep 10 '20 at 01:50

score 0 · Answer 11 · edited Apr 18 '21 at 07:07

0

past this code in htaccess file

<IfModule mod_rewrite.c>
    RewriteEngine On        
    RewriteCond %{HTTPS} !=on    
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    RewriteRule ^(.*)$ public/$1 [L]
</IfModule>

edited Apr 18 '21 at 07:07

Suraj Rao

29,388
11
94
103

answered Apr 18 '21 at 07:02

Dipu Chandra Dey

11
3

score 0 · Answer 12 · answered Jul 06 '21 at 10:15

This .htaccess will remove /public/ from your URL and force https://

Put this .htaccess in your root folder without renaming server.php file to index.php this .htaccess will do everything

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On
    RewriteCond %{HTTPS} !=on    
    RewriteCond %{REQUEST_URI} !^public
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    RewriteRule ^(.*)$ public/$1 [L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L] 

</IfModule>

score 0 · Answer 13 · answered Sep 12 '22 at 02:21

In my experience, I solved this issue to add the code to .htaccess.

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_URI} !^public
RewriteRule ^(.*)$ public/$1 [L]

Hopefully, it would be helpful for you. Good luck.

score 0 · Answer 14 · answered Nov 05 '22 at 15:49

I faced the same issue, "forcing HTTPS for my app" when I deployed to Heroku. Apparently, when I tried to force HTTPS connection using htaccess file it did not work. I forced the connection using

APP_URL = https://example.com/ and ASSET_URL = https://example.com/

This also solved my issue with the CSS and js files "blocked mixed-content"

Laravel: how to force HTTPS?

14 Answers14

Linked