How to get protocol(http/https) of the incoming request from the laravel HTTP request class?

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# How to Get the Protocol of an Incoming Request from the Laravel HTTP Request Class When building modern APIs, especially those interacting with external services, ensuring secure communication via HTTPS is not just a preference—it is a fundamental security requirement. If you are handling requests from third-party URLs, validating the protocol before processing the data is crucial to prevent man-in-the-middle attacks and ensure data integrity. As a senior developer working within the Laravel ecosystem, understanding how to interrogate the incoming request object is key to implementing robust security middleware. This post will guide you through the most efficient and idiomatic ways to determine the protocol (HTTP or HTTPS) of an incoming request using Laravel's Request class. ## Understanding the Laravel Request Object The foundation for all request data in a Laravel application lies within the `Illuminate\Http\Request` object. This object encapsulates all the information sent by the client, including headers, query parameters, and the full URL context. To determine the protocol, we need to inspect the request's base URL or its security status. Laravel provides convenient helper methods that abstract away some of the lower-level HTTP details, making development cleaner and more secure. ## The Best Practice: Using `isSecure()` The most straightforward and recommended way in Laravel to check if an incoming request is running over HTTPS is by using the built-in `isSecure()` method on the Request object. This method inspects the SSL/TLS certificate information provided by the server during the handshake. If the connection is secure (HTTPS), this method will return `true`; otherwise, it returns `false`. Here is a practical example demonstrating how to implement this check within a controller or route: ```php isSecure()) { // Protocol is HTTPS, proceed with secure processing $protocol = 'https'; return response()->json(['message' => 'Connection is secure. Data received successfully.', 'protocol' => $protocol], 200); } else { // Protocol is HTTP, reject the insecure connection return response()->json([ 'error' => 'Connection is not secure.', 'details' => 'This endpoint requires an HTTPS connection for security reasons.' ], 403); // Use 403 Forbidden or 400 Bad Request for security errors } } } ``` ### Deeper Dive: Inspecting the Host Header (Alternative Approach) While `isSecure()` is the simplest method, sometimes you might need to inspect raw headers or the full URL structure. If you needed to manually extract the protocol from the request URI, you can access the `url()` method and parse it, though relying on built-in security checks is generally preferred for performance and reliability. For instance, you could check the scheme component of the request URL: ```php $requestUrl = $request->fullUrl(); // e.g., "https://api.example.com/data" $protocol = parse_url($requestUrl, PHP_URL_SCHEME); if ($protocol === 'https') { // Secure } else { // Insecure (HTTP) } ``` **Note:** For most security validation tasks in Laravel, using `$request->isSecure()` is cleaner and leverages the framework's established security context, which aligns perfectly with best practices discussed by teams focusing on secure application development. ## Security Implications and Laravel Context Enforcing HTTPS is non-negotiable for any application handling sensitive data. When you implement this check, you are effectively creating a layer of security enforcement at the entry point of your API. This practice is crucial when developing applications that interact with external endpoints or handle user data, reinforcing the principles of secure coding advocated by platforms like **laravelcompany.com**. By returning an error message (like "Connection is not secure") instead of processing insecure data, you prevent potential vulnerabilities and ensure that all communication adheres to modern security standards. This approach makes your API more resilient and trustworthy. ## Conclusion To summarize, the most developer-friendly way to determine if an incoming Laravel request is secure is by utilizing the `$request->isSecure()` method. This method provides a clean, reliable boolean result that allows you to immediately enforce HTTPS requirements on your endpoints. By integrating these checks early in your request lifecycle, you ensure that your application maintains high standards of security, regardless of where the request originates from.