🔒 Stop the Mix-Up! How to Force HTTPS in Laravel and Fix Your AJAX Woes
#laravel#security#devops#bugfix
Akshay Joshi

Akshay Joshi @doozieakshay

About: Goa-born IT grad in Bangalore, quirky tech co-founder of DoozieSoft (2013). Embraces hakuna matata, believes money follows effort. Devoted dad of two, balancing code and family life. Memento vivere.

Location:
Bangalore, India
Joined:
Jun 14, 2020

🔒 Stop the Mix-Up! How to Force HTTPS in Laravel and Fix Your AJAX Woes

Publish Date: May 21
0 0

If your Laravel app runs on HTTPS, but AJAX calls or asset URLs still sneak out as http://, you're not alone. This invisible bug can silently break your front-end, trigger mixed content warnings, or even kill your SEO.

Let’s fix that once and for all — the Laravel way. 🛠️

🧨 The Problem

You've deployed your Laravel app to production with a valid SSL certificate. Your APP_URL is set to:

APP_URL=https://mydomain.com
Enter fullscreen mode Exit fullscreen mode

But Laravel still generates http:// links. Why?

Because Laravel doesn’t just trust the APP_URL. It decides whether to generate https:// based on request()->isSecure() — which often returns false behind Cloudflare, Nginx, or load balancers unless properly configured.

Result: your url('/some-path') outputs http://mydomain.com/some-path — triggering mixed content issues.

✅ The Fix: Force HTTPS in Laravel

🔧 Step 1: Update AppServiceProvider

Open app/Providers/AppServiceProvider.php and modify the boot() method:

use Illuminate\Support\Facades\URL;

public function boot()
{
    if (app()->environment('production')) {
        URL::forceScheme('https');
    }
}
Enter fullscreen mode Exit fullscreen mode

This forces all generated URLs in production to use HTTPS — regardless of what Laravel thinks the request is.

🛡️ Step 2: Trust Proxy Headers

If your app runs behind Cloudflare or a reverse proxy (most do), Laravel needs to trust forwarded headers.

Update app/Http/Middleware/TrustProxies.php:

protected $proxies = '*'; // or specify IPs for more control

protected $headers = \Illuminate\Http\Request::HEADER_X_FORWARDED_ALL;
Enter fullscreen mode Exit fullscreen mode

This ensures Laravel correctly detects HTTPS requests from proxies/load balancers.

♻️ Step 3: Clear Cache (Always) 

php artisan config:clear
php artisan cache:clear
Enter fullscreen mode Exit fullscreen mode

Otherwise, you may still get stale http:// responses.

💡 Bonus Tip: Don't Trust APP_URL Alone

The .env setting APP_URL is used by:

  • php artisan route:cache
  • Email and notification generation
  • Asset helpers in some cases

But it does not affect URL generation in runtime requests — only the actual request scheme matters.

👀 Final Result

  • All calls to url(), route(), and even asset helpers will return https:// URLs.
  • No more mixed content.
  • AJAX behaves like it should.
  • Your SEO and frontend sanity are saved.

💬 TL;DR

Laravel doesn’t know your site is HTTPS unless you force it and trust the proxy. Add this to your AppServiceProvider, and you're golden.

if (app()->environment('production')) {
    URL::forceScheme('https');
}
Enter fullscreen mode Exit fullscreen mode

💬 Have you been bitten by the http in disguise? Share your fix or setup below!

Comments 0 total

    Add comment