Mastering Laravel HTTP Requests

Laravel makes handling HTTP requests easy and elegant with the Illuminate\Http\Request class. This class lets you interact with everything about the request — like input data, headers, cookies, uploaded files, and even trusted proxies.

Introduction

Whenever a user visits your Laravel application, their browser sends an HTTP request. Laravel wraps this request in an object called Illuminate\Http\Request.

With it, you can:

Get form input ($request->input('name'))
Read headers, cookies, and IP addresses
Work with JSON data
Handle uploaded files
Configure trusted proxies & hosts

Interacting With the Request

Accessing the Request in Controllers

You can access the request by type-hinting it:

use Illuminate\Http\Request;
use Illuminate\Http\RedirectResponse;

class UserController extends Controller
{
    public function store(Request $request): RedirectResponse
    {
        $name = $request->input('name');
        // Save the user...
        return redirect('/users');
    }
}

Accessing the Request in Routes

use Illuminate\Http\Request;

Route::get('/', function (Request $request) {
    return $request->path(); // returns current path
});

Dependency Injection & Route Parameters

Even if your route has parameters, Laravel still injects the request:

Route::put('/user/{id}', [UserController::class, 'update']);

public function update(Request $request, string $id)
{
    return "User ID: $id";
}

Request Path, Host & Method

Request Path

$request->path(); // "foo/bar"

Match Path

if ($request->is('admin/*')) { ... }
if ($request->routeIs('admin.*')) { ... }

Full URL

$request->url();        // without query string
$request->fullUrl();    // with query string

Add/remove query params:

$request->fullUrlWithQuery(['page' => 2]);
$request->fullUrlWithoutQuery(['token']);

Host & Scheme

$request->host();              // example.com
$request->httpHost();          // example.com:8000
$request->schemeAndHttpHost(); // https://example.com

Method

$request->method(); // GET, POST, PUT...
$request->isMethod('post'); // true/false

Request Headers

$request->header('X-Token');
$request->header('X-Token', 'default'); // fallback
$request->hasHeader('X-Token');
$request->bearerToken(); // Authorization: Bearer <token>

Client IP

$request->ip();   // Single IP
$request->ips();  // All forwarded IPs

⚠️ IPs can’t always be trusted (e.g., behind proxies).

Content Negotiation

$request->getAcceptableContentTypes(); // ['text/html', 'application/json']
$request->accepts(['application/json']); // true/false
$request->prefers(['html','json']); // best match
$request->expectsJson(); // true if AJAX/JSON request

PSR-7 Requests

Laravel supports PSR-7 request/response with extra packages:

composer require symfony/psr-http-message-bridge nyholm/psr7

use Psr\Http\Message\ServerRequestInterface;

Route::get('/', function (ServerRequestInterface $request) {
    return $request->getUri();
});

Working With Input

Retrieve All Input

$request->all(); 
$request->collect(); // returns a Collection

Retrieve Single Values

$request->input('name', 'Default Name');
$request->input('products.0.name'); // array input

Query String Only

$request->query('page', 1);

JSON Input

$request->input('user.name');

Typed Inputs

$request->string('name')->trim();
$request->integer('age', 18);
$request->boolean('active');
$request->array('tags');
$request->date('birthday');
$request->enum('status', Status::class);

Dynamic Properties

$request->name; // same as input('name')

Subsets

$request->only('email', 'username');
$request->except('password');

Input Presence

$request->has('email');
$request->hasAny(['name', 'email']);
$request->filled('name');
$request->isNotFilled('address');
$request->missing('phone');

Execute logic:

$request->whenHas('name', fn($val) => ...);
$request->whenFilled('name', fn($val) => ...);
$request->whenMissing('name', fn() => ...);

Merging Input

$request->merge(['role' => 'user']);
$request->mergeIfMissing(['votes' => 0]);

Old Input (Session Flashing)

Flash to session:

$request->flash();
$request->flashOnly('username');
$request->flashExcept('password');

Redirect with input:

return redirect()->back()->withInput();

Retrieve old input:

old('username'); // Blade helper

Cookies

$request->cookie('name');

(Laravel encrypts and signs cookies automatically.)

Input Normalization

By default, Laravel:
– Trims strings
– Converts empty strings → null

Disable in bootstrap/app.php:

$middleware->remove([
    TrimStrings::class,
    ConvertEmptyStringsToNull::class,
]);

Or conditionally:

$middleware->trimStrings(except: [
    fn ($request) => $request->is('admin/*'),
]);

File Uploads

Retrieve Uploaded File

$file = $request->file('photo');
$file = $request->photo;

Check:

$request->hasFile('photo');
$request->file('photo')->isValid();

File Info

$request->photo->path();
$request->photo->extension();

Store Files

$path = $request->photo->store('images'); // storage/app/images
$path = $request->photo->store('images', 's3'); // cloud
$request->photo->storeAs('images', 'profile.jpg');

Trusted Proxies

If you’re behind a load balancer, configure trusted proxies:

$middleware->trustProxies(at: ['192.168.1.1']);
$middleware->trustProxies(at: '*'); // trust all

For AWS ELB:

$middleware->trustProxies(headers: Request::HEADER_X_FORWARDED_AWS_ELB);

Trusted Hosts

Restrict hostnames your app will respond to:

$middleware->trustHosts(at: ['laravel.test']);
$middleware->trustHosts(at: ['laravel.test'], subdomains: false);

Important

With Laravel’s Request class, you can:

Read all request input (form, query, JSON)
Work with headers, cookies, and IPs
Manage old input and flash data
Handle file uploads easily
Configure proxies & hosts for secure deployments