I created an easy to use API to help businesses do incredible things with AI.
Benjamin Crozat
Latest
Courses
Books
Links
Battle ready Laravel
Battle ready Laravel
Ash Allen
Get the book
Mastering Laravel<br /> Validation Rules
Mastering Laravel
Validation Rules
Aaron Saray / Joel Clermont
Get the book
Microservices with<br /> Laravel
Microservices with
Laravel
Martin Joo
Get the book
Domain-Driven Design<br /> with Laravel
Domain-Driven Design
with Laravel
Martin Joo
Get the book
Level up<br /> with Tailwind CSS
Level up
with Tailwind CSS
Shruti Balasa
Get the book
Design Patterns<br /> for Vue.js
Design Patterns
for Vue.js
Lachlan Miller
Get the book
Consuming APIs<br /> in Laravel
Consuming APIs
in Laravel
Ash Allen
Get the book
Laravel

Middleware in Laravel 11 and how to customize them

Benjamin Crozat
Modified on Mar 21, 2024 5 comments Edit on GitHub
Middleware in Laravel 11 and how to customize them

Introduction to middleware customization in Laravel 11

Starting from Laravel 11, new projects get to experience a slimmer skeleton. Parts of the efforts to make it happen were to remove the default middleware classes.

But how do you customize them then? Easy! Just go into your bootstrap/app.php file and configure them however you want. Let me show you in more detail for the most common use cases.

Customize the most common middleware

Change where guests are redirected

To customize where guests are redirected, use the redirectGuestsTo() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->redirectGuestsTo('/admin/login');
})

Previously, this was happening in the Authenticated.php middleware file.

Change where users and guests are redirected

To customize where users and guests are redirected, use the redirectTo() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->redirectTo(
        guests: '/admin/login',
        users: '/dashboard'
    );
})

Previously, this was happening in the Authenticated.php and RedirectIfAuthenticated.php middleware files.

Exclude cookies from being encrypted

To customize which cookies must not be encrypted, use the encryptCookies() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->encryptCookies(except: [
        'foo',
        'bar',
    ]);
})

Previously, this was happening in the EncryptCookies.php middleware file.

Exclude routes from CSRF protection

To customize which routes must be excluded from CSRF protection, use the validateCsrfTokens() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->validateCsrfTokens(except: [
        '/foo/*',
        '/bar',
    ]);
})

Previously, this was happening in the VerifyCsrfToken.php middleware file.

Exclude routes from URL signature validation

To exclude routes from URL signature validation, use the validateSignatures() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->validateSignatures(except: [
        '/api/*',
    ]);
})

Previously, this was happening in the ValidateSignature.php middleware file.

Prevent converting empty strings in requests

To configure the middleware that converts empty strings to null, use the convertEmptyStringsToNull() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->convertEmptyStringsToNull(except: [
        fn ($request) => $request->path() === 'foo/bar',
    ]);
})

Previously, you had to remove the ConvertEmptyStringsToNull middleware in the app/Http/Kernel.php file or do it on a per route basis.

Prevent string trimming in requests

To configure the middleware responsible for trimming strings, use the trimStrings() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->trimStrings(except: [
        '/foo',
    ]);
})

Previously, this was happening in the TrimStrings.php middleware file.

Advanced middleware customization

In addition to the basic customizations we’ve covered, Laravel 11 offers more advanced options for middleware manipulation. These can be particularly useful for complex applications or when you need fine-grained control over your middleware stack.

Manipulating the global middleware stack

You can add, remove, or replace middleware in the global stack:

->withMiddleware(function (Middleware $middleware) {
    $middleware->prepend(SomeMiddleware::class);
    $middleware->append(AnotherMiddleware::class);
    $middleware->remove(UnwantedMiddleware::class);
    $middleware->replace(OldMiddleware::class, NewMiddleware::class);
})

Working with middleware groups

Laravel allows you to define and modify middleware groups:

->withMiddleware(function (Middleware $middleware) {
    $middleware->group('custom', [
        FirstMiddleware::class,
        SecondMiddleware::class,
    ]);
    
    $middleware->prependToGroup('web', NewWebMiddleware::class);
    $middleware->appendToGroup('api', NewApiMiddleware::class);
    $middleware->removeFromGroup('web', OldWebMiddleware::class);
    $middleware->replaceInGroup('api', OldApiMiddleware::class, NewApiMiddleware::class);
})

API-specific configurations

For API-focused applications, Laravel provides specific methods:

->withMiddleware(function (Middleware $middleware) {
    $middleware->statefulApi(); // Enable Sanctum's frontend state middleware
    $middleware->throttleApi('custom_limiter', true); // Configure API rate limiting
})

Configuring trusted proxies and hosts

For applications behind a proxy or load balancer:

->withMiddleware(function (Middleware $middleware) {
    $middleware->trustHosts(['example.com', '*.example.com']);
    $middleware->trustProxies(['192.168.1.1', '192.168.1.2']);
})

Enabling authenticated sessions

To ensure sessions are authenticated in the “web” middleware group:

->withMiddleware(function (Middleware $middleware) {
    $middleware->authenticateSessions();
})

These advanced options provide more flexibility in customizing your application’s middleware behavior, allowing you to fine-tune security, performance, and functionality as needed.

5 comments

Drew Bertola
Drew Bertola 7mos ago 
$middleware->convertEmptyStringsToNull(except: [
    fn ($request) => $request->path() === 'foo/bar',
]);

Didn't work for me. I tried this and it worked:

$middleware->api()->remove(ConvertEmptyStringsToNull::class);
Drew Bertola
Drew Bertola 7mos ago

So, that just removes it from routes under /api/. I suppose you could remove it globally as well. BTW, thanks!

Benjamin Crozat
Benjamin Crozat 7mos ago

Great tip I didn't know, thanks a lot Drew!

mariano-bruno
mariano-bruno 4mos ago

Gracias amigo, me fui muy util la informacion de las cookies. Saludos desde Argentina

Benjamin Crozat
Benjamin Crozat 4mos ago

You're welcome!

Get help or share something of value with other readers!

Sign in with GitHub
Great deals for enterprise developers
  • Summarize and talk to YouTube videos. Bypass ads, sponsors, chit-chat, and get to the point.
    Try Nobinge →
  • Monitor the health of your apps: downtimes, certificates, broken links, and more.
    20% off the first 3 months using the promo code CROZAT.
    Try Oh Dear for free
  • Keep the customers coming; monitor your Google rankings.
    30% off your first month using the promo code WELCOME30
    Try Wincher for free →
The latest community links
Share a link too →
- / -