180 words, 1 min read
If you want to add the Strict-Transport-Security header to all your requests in Laravel, you can easily use a custom middleware for doing so.
First, start with creating a file called app/Http/Middleware/HSTS.php and put the following content in there:
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\App;
class HSTS
{
public function handle(Request $request, Closure $next)
{
$response = $next($request);
if (!App::environment('local')) {
$response->headers->set(
'Strict-Transport-Security',
'max-age=31536000; includeSubdomains',
true
);
}
return $response;
}
}
After that, it's a matter of enabling it in the app/Http/Kernel.php file under the key $middleware:
namespace App\Http;
use App\Http\Middleware\AllowedRolesMiddleware;
use App\Http\Middleware\ApiVersioning;
use App\Http\Middleware\IsAuthorized;
use App\Http\Middleware\PassportClientIsAuthorizedForCompany;
use Fruitcake\Cors\HandleCors;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
use Laravel\Passport\Http\Middleware\CheckClientCredentials;
class Kernel extends HttpKernel
{
/**
* The application's global HTTP middleware stack.
*
* These middleware are run during every request to your application.
*
* @var array
*/
protected $middleware = [
HandleCors::class,
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
\App\Http\Middleware\InvalidDateCleaner::class,
\App\Http\Middleware\HSTS::class, // <- add this line
];
// ...
}
Note: in this example, I've disabled this for the local environment as I'm using Laravel Valet for testing over http (not https).
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.