If you want to add the Strict-Transport-Security header to all your requests in Laravel, you can easily use a custom middleware for doing so.

First, start with creating a file called app/Http/Middleware/HSTS.php and put the following content in there:

<?php
 
namespace App\Http\Middleware;
 
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\App;
 
class HSTS
{
    public function handle(Request $request, Closure $next)
    {
        $response = $next($request);
 
        if (!App::environment('local')) {
            $response->headers->set(
                'Strict-Transport-Security',
                'max-age=31536000; includeSubdomains',
                true
            );
        }
 
        return $response;
    }
}

After that, it's a matter of enabling it in the app/Http/Kernel.php file under the key $middleware:

namespace App\Http;
 
use App\Http\Middleware\AllowedRolesMiddleware;
use App\Http\Middleware\ApiVersioning;
use App\Http\Middleware\IsAuthorized;
use App\Http\Middleware\PassportClientIsAuthorizedForCompany;
use Fruitcake\Cors\HandleCors;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
use Laravel\Passport\Http\Middleware\CheckClientCredentials;
 
class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     *
     * These middleware are run during every request to your application.
     *
     * @var array
     */
    protected $middleware = [
        HandleCors::class,
        \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        \App\Http\Middleware\InvalidDateCleaner::class,
        \App\Http\Middleware\HSTS::class, // <- add this line
    ];
 
    // ...
}

Note: in this example, I've disabled this for the local environment as I'm using Laravel Valet for testing over http (not https).