Middleware in Laravel 11 and how to customize them

Benjamin Crozat

Modified on Mar 21, 2024 • 3 comments • Edit

Middleware in Laravel 11 and how to customize them

Introduction to middleware customization in Laravel 11

Starting from Laravel 11, new projects get to experience a slimmer skeleton. Parts of the efforts to make it happen was to remove the default middleware classes.

But how do you customize them then? Easy! Just go into your bootstrap/app.php file and configure them however you want. Let me show you in more details for the most common use cases.

Customize the default middleware

Change where guests are redirected

To customize where guests are redirected, use the redirectGuestsTo() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->redirectGuestsTo('/admin/login');
})

Previously, this was happening in the Authenticated.php middleware file.

Change where users and guests are redirected

To customize where users and guests are redirected, use the redirectTo() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->redirectTo(
        guests: '/admin/login',
        users: '/dashboard'
    );
})

Previously, this was happening in the Authenticated.php and RedirectIfAuthenticated.php middleware files.

Exclude cookies from being encrypted

To customize which cookies must not be encrypted, use the encryptCookies() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->encryptCookies(except: [
        'foo',
        'bar',
    ]);
})

Previously, this was happening in the EncryptCookies.php middleware file.

Exclude routes from CSRF protection

To customize which routes must be excluded from CSRF protection, use the validateCsrfTokens() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->validateCsrfTokens(except: [
        '/foo/*',
        '/bar',
    ]);
})

Previously, this was happening in the VerifyCsrfToken.php middleware file.

Exclude routes from URL signature validation

To exclude routes from URL signature validation, use the validateSignatures() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->validateSignatures(except: [
        '/api/*',
    ]);
})

Previously, this was happening in the ValidateSignature.php middleware file.

Prevent converting empty strings in requests

To configure the middleware that converts empty strings to null, use the convertEmptyStringsToNull() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->convertEmptyStringsToNull(except: [
        fn ($request) => $request->path() === 'foo/bar',
    ]);
})

Previously, you had to remove the ConvertEmptyStringsToNull middleware in the app/Http/Kernel.php file or do it on a per route basis.

Prevent string trimming in requests

To configure the middleware responsible for trimming strings, use the trimStrings() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->trimStrings(except: [
        '/foo',
    ]);
})

Previously, this was happening in the TrimStrings.php middleware file.

Wait, there's more!

3 comments

Drew Bertola • 6d ago

    $middleware->convertEmptyStringsToNull(except: [
        fn ($request) => $request->path() === 'foo/bar',
    ]);

Didn't work for me. I tried this and it worked:

        $middleware->api()->remove(ConvertEmptyStringsToNull::class);

Drew Bertola • 6d ago

So, that just removes it from routes under /api/. I suppose you could remove it globally as well. BTW, thanks!

Benjamin Crozat • 6d ago

Great tip I didn't know, thanks a lot Drew!

Get help or share something of value with other readers!