How To: Optimizing SSL on Laravel Forge

Published on by

How To: Optimizing SSL on Laravel Forge image

Let’s Encrypt is a new automated SSL certificate authority. Because it is free, it is opening the doors to an exciting new era of secure servers and technologies. Laravel Forge was recently to allow one-click installations of Let’s Encrypt certificates. It is now easier than ever to have your own SSL!

Let’s take a few extra minutes to optimize your server and help it perform faster and be more secure. In this tutorial we will look at using SSL session caching, HTTP Strict Transport Security (HSTS), and Hypertext Transfer Protocol 2 (HTTP/2).


  • A forge-managed server.
  • Site running under SSL.
  • nginx 1.9.5 or higher for HTTP/2 (everything else should work).


Multiple HTTPS sites on a single IP address will cause nginx to use SNI to establish an SSL connection. Internet Explorer 8 and below on Windows XP, as well as Android 2.3.7, do not support SNI. They will likely report a broken certificate, or might not be able to connect at all. This is only something to worry about if you need to support old browsers.

SSL Log-Jam Fix

Forge now includes a recipe to apply the Diffie-Helmann Log-Jam Vulnerability patch. Run that against the server in question before performing the following steps.

SSL Optimizations

Enabling SSL can slow down your site’s load times, especially if you have many files. Each request has some overhead of SSL negotiation. before a response gets issued. Setting up SSL session caching eliminates renegotiation for each request unless the cache expires.

Using an optimized cypher suite will further harden our security configuration. This will address browser compatibility and cypher blacklists.

We will also enable Online Certificate Status Protocol (OCSP) stapling. The server will cache the revocation status of the SSL certificates. This eliminates the need to query the certificate authority each time.

All these settings are best set up as a recipe in Laravel Forge. You can then run it with ease against any of your servers:

Here is the script depicted above:

> **Note:** adding this recipe to a server will not affect the non-SSL-secured web sites on your server.

HTTP Strict Transport Security (HSTS)

HSTS is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. – Wikipedia

Enabling HSTS gives us all the benefits for browsers that support it. It also won’t affect browsers that don’t support it.

Lets get to it. For this we need to edit your sites nginx configuration file. You can get to it using the Edit Files drop-down on your site screen in Laravel Forge:

Add the following line to your server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Note: some tutorials include a trailing “always” keyword. But that isn’t the correct usage of the command in this case. It should not be in every response. Instead, the browser will determine the correct usage of the HSTS header once it sees it.


This is by far the simplest step. In your site’s nginx configuration file add “http2” to the end of the listen line for the server block.

listen 443 ssl http2;

Note: Do not add this to the non-ssl server block listening on port 80.

Wrapping Things Up

All that’s left now is to reload nginx and test your server’s SSL configuration.

Next head to SSL Labs and test your certificate. You should now be sporting a solid “A+”! Congratulations on making the internet a faster and safer place! If you go to your site now, you should notice an appreciable speed increase compared to before.

Mike Bronner photo

Husband. Genealogist. Web Designer. Translator. German-American.


Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.


Fix Laravel errors in record time. Fill in the gaps with uptime, cron, and heartbeat monitoring. Build trust with status pages and incident management—all in one simple platform.

Visit Honeybadger

The latest

View all →
Use Ollama LLM Models Locally with Laravel image

Use Ollama LLM Models Locally with Laravel

Read article
TallStackUI - a new component library for TALL Stack apps image

TallStackUI - a new component library for TALL Stack apps

Read article
Laravel 10.34 Released image

Laravel 10.34 Released

Read article
Laravel Tailwind Merge image

Laravel Tailwind Merge

Read article
Generate Validation Rules from a Database Schema in Laravel image

Generate Validation Rules from a Database Schema in Laravel

Read article
A Feature Flags Implementation for Filament image

A Feature Flags Implementation for Filament

Read article
Honeybadger logo


Zero-instrumentation, 360 degree coverage of errors, outages and service degradation.

Laravel Forge logo

Laravel Forge

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Forge
Oh Dear logo

Oh Dear

Oh Dear is the best all-in-one monitoring tool for all your Laravel apps.

Oh Dear
Tinkerwell logo


The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Kirschbaum logo


Providing innovation and stability to ensure your web application succeeds.

Shift logo


Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Bacancy logo


Supercharge your project with a seasoned Laravel developer with 4-6 years of experience for just $2500/month. Get 160 hours of dedicated expertise & a risk-free 15-day trial. Schedule a call now!

LoadForge logo


Easy, affordable load testing and stress tests for websites, APIs and databases.

Paragraph logo


Manage your Laravel app as if it was a CMS – edit any text on any page or in any email without touching Blade or language files.

Lucky Media logo

Lucky Media

Bespoke software solutions built for your business. Partner with Lucky Media, your favorite Laravel Development Agency!

Lucky Media
Lunar: Laravel E-Commerce logo

Lunar: Laravel E-Commerce

E-Commerce for Laravel. An open-source package that brings the power of modern headless e-commerce functionality to Laravel.

Lunar: Laravel E-Commerce