If you want to add the Strict-Transport-Security header to all your requests in Laravel, you can easily use a custom middleware for doing so.

First, start with creating a file called app/Http/Middleware/HSTS.php and put the following content in there:

namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\App;
class HSTS
public function handle(Request $request, Closure $next)
$response = $next($request);
if (!App::environment('local')) {
'max-age=31536000; includeSubdomains',
return $response;

After that, it's a matter of enabling it in the app/Http/Kernel.php file under the key $middleware:

namespace App\Http;
use App\Http\Middleware\AllowedRolesMiddleware;
use App\Http\Middleware\ApiVersioning;
use App\Http\Middleware\IsAuthorized;
use App\Http\Middleware\PassportClientIsAuthorizedForCompany;
use Fruitcake\Cors\HandleCors;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
use Laravel\Passport\Http\Middleware\CheckClientCredentials;
class Kernel extends HttpKernel
* The application's global HTTP middleware stack.
* These middleware are run during every request to your application.
* @var array
protected $middleware = [
\App\Http\Middleware\HSTS::class, // <- add this line
// ...

Note: in this example, I've disabled this for the local environment as I'm using Laravel Valet for testing over http (not https).