In this episode, we tackle a common headache when deploying Laravel apps: assets (CSS, JavaScript, images) sometimes load over HTTP instead of HTTPS, even when your site is secure. This can lead to browser warnings and mixed content issues—especially when you’re pushing your project to platforms like Heroku.
First, we walk through an example where assets are being loaded with the wrong scheme. We dig into how Laravel's asset()
helper determines whether to use HTTP or HTTPS. Spoiler: it relies on the current request's scheme, and sometimes the server configuration doesn’t play nicely with this.
We then jump into two practical solutions:
Force HTTPS Based on Environment: We update the application’s Service Provider to always force HTTPS in production. You’ll see how to inject the URL generator and use its forceScheme
method, making sure all generated asset URLs use HTTPS when needed. We demonstrate this with a quick push to Heroku, showing how the fix works live.
Flexible, Config-Based Solution: For more control (like staging or special server cases), we switch to an environment variable approach. By adding a FORCE_HTTPS
setting to your .env
file or Heroku config, you can selectively force HTTPS on any environment. This method is more adaptable and keeps your config clean.
We wrap up by showing you the best spot to store such config, and how to reference it in your app. By the end, you'll know how to banish those mixed content warnings for good, with practical techniques you can drop into pretty much any Laravel project.