If you want to add the Strict-Transport-Security header to all your requests in Laravel, you can easily use a custom middleware for doing so.

First, start with creating a file called app/Http/Middleware/HSTS.php and put the following content in there:


namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\App;

class HSTS
{
    public function handle(Request $request, Closure $next)
    {
        $response = $next($request);

        if (!App::environment('local')) {
            $response->headers->set(
          'Strict-Transport-Security',
          'max-age=31536000; includeSubdomains',
          true
      );
        }

        return $response;
    }
}

After that, it's a matter of enabling it in the app/Http/Kernel.php file under the key $middleware:

namespace App\Http;

use App\Http\Middleware\AllowedRolesMiddleware;
use App\Http\Middleware\ApiVersioning;
use App\Http\Middleware\IsAuthorized;
use App\Http\Middleware\PassportClientIsAuthorizedForCompany;
use Fruitcake\Cors\HandleCors;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
use Laravel\Passport\Http\Middleware\CheckClientCredentials;

class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     *
     * These middleware are run during every request to your application.
     *
     * @var array
     */
    protected $middleware = [
        HandleCors::class,
        \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        \App\Http\Middleware\InvalidDateCleaner::class,
        \App\Http\Middleware\HSTS::class, // <- add this line
    ];

  // ... 
}

Note: in this example, I've disabled this for the local environment as I'm using Laravel Valet for testing over http (not https).