Force Laravel to use HTTPS version

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# Force Laravel to Use HTTPS: Solving Your SSL Headache Setting up a secure website with HTTPS is non-negotiable in modern web development. However, as you’ve discovered, transitioning from HTTP to HTTPS in a Laravel application can sometimes lead to frustrating inconsistencies, especially when dynamic links and generated HTML elements default back to insecure HTTP protocols. This post will dive into why this happens in the Laravel ecosystem and provide concrete, developer-focused solutions to ensure all your application assets, routing, and dynamic output consistently use HTTPS. ## The Root of the Problem: Base URL Misconfiguration When you deploy a Laravel application behind an SSL certificate, the web server (Nginx or Apache) handles the secure connection (port 443), but Laravel itself needs to be explicitly told what its "base" URL is. If this base URL is misconfigured, or if dynamic views generate relative paths instead of absolute ones, you end up with mixed content warnings and broken links, exactly as you experienced with your pagination example pointing to `http://siteurl.net`. The issue isn't usually that Laravel *wants* to use HTTP; it wants to use the URL it was configured with. The problem lies in how the application constructs those URLs, particularly when dealing with legacy features or custom view logic. ## Solution 1: Setting the Correct Application URL The first and most crucial step is ensuring your environment variables correctly reflect your secure setup. Laravel relies heavily on the `APP_URL` setting to generate absolute links for assets and redirects. In your `.env` file, ensure this line is set correctly for production environments: ```dotenv APP_URL=https://yourdomain.com ``` Setting this correctly ensures that when Laravel generates URLs using helper functions like `asset()`, `url()`, or within routing, the HTTPS protocol is automatically prepended. This aligns with best practices outlined by the [Laravel team](https://laravelcompany.com). ## Solution 2: Fixing Dynamic Output (The Pagination Example) Your specific concern revolves around dynamically generated HTML, such as the pagination links generated by your custom `jscroll` implementation: ```html ``` This link is failing because the URL being generated is an insecure `http://` path, ignoring the secure context of your site. To fix this, you must stop hardcoding or generating relative paths and instead use Laravel's built-in URL generation methods. Instead of manually constructing the links in your Blade file, utilize the `route()` helper or the `URL` facade to ensure dynamic links are correctly resolved based on your configured application base. **The Correct Approach Using Route Helpers:** If you have defined a route for pagination (e.g., `/search/{tag}/page/{page}`), you should generate the link using that route definition: ```php // Instead of manually building the URL, use the router to get the correct HTTPS path ``` This approach delegates the responsibility of URL construction to Laravel’s routing system, which respects the `APP_URL` configuration and ensures that all generated links point to the correct HTTPS endpoint. This is far more robust than manual string concatenation. ## Solution 3: Server-Level Enforcement (HSTS) While fixing application code solves the link generation issue, you must also ensure your server enforces HTTPS globally. Implement HTTP Strict Transport Security (HSTS) headers on your web server configuration (Nginx or Apache). HSTS tells browsers that any future requests to your site **must** use HTTPS, preventing downgrade attacks and enforcing security across the entire session. For Nginx, this involves adding a header like: ```nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ``` ## Conclusion Switching to HTTPS in Laravel is less about forcing the framework and more about ensuring consistency between your environment variables, your routing definitions, and your view layer. By correctly setting `APP_URL`, leveraging route helpers for dynamic links, and implementing server-level security headers like HSTS, you can eliminate those frustrating HTTP link errors and establish a truly secure and seamless user experience. Always adhere to these principles when building robust applications on the [Laravel platform](https://laravelcompany.com).