How to customize default middleware in Laravel 11

Table of contents:

• Introduction to default middleware customization in Laravel 11
• Customize the default middleware
  • Change where guests are redirected
  • Change where users and guests are redirected
  • Exclude cookies from being encrypted
  • Exclude routes from CSRF protection
  • Exclude routes from URL signature validation
  • Prevent converting empty strings in requests
  • Prevent string trimming in requests

Introduction to default middleware customization in Laravel 11

Starting from Laravel 11, new projects get to experience a slimmer skeleton. Part of the efforts to make it happen was to remove the default middleware classes.

But how do you customize them then? Easy! Just go into your bootstrap/app.php file and configure them however you want. Let me show you in more detail the most common use cases.

Customize the default middleware

Change where guests are redirected

To customize where guests are redirected, use the redirectGuestsTo() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->redirectGuestsTo('/admin/login');
})

Previously, this was happening in the Authenticated.php middleware file.

Change where users and guests are redirected

To customize where users and guests are redirected, use the redirectTo() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->redirectTo(
        guests: '/admin/login',
        users: '/dashboard'
    );
})

Previously, this was happening in the Authenticated.php and RedirectIfAuthenticated.php middleware files.

Exclude cookies from being encrypted

To customize which cookies must not be encrypted, use the encryptCookies() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->encryptCookies(except: [
        'foo',
        'bar',
    ]);
})

Previously, this was happening in the EncryptCookies.php middleware file.

Exclude routes from CSRF protection

To customize which routes must be excluded from CSRF protection, use the validateCsrfTokens() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->validateCsrfTokens(except: [
        '/foo/*',
        '/bar',
    ]);
})

Previously, this was happening in the VerifyCsrfToken.php middleware file.

Exclude routes from URL signature validation

To exclude routes from URL signature validation, use the validateSignatures() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->validateSignatures(except: [
        '/api/*',
    ]);
})

Previously, this was happening in the ValidateSignature.php middleware file.

Prevent converting empty strings in requests

To configure the middleware that converts empty strings to null, use the convertEmptyStringsToNull() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->convertEmptyStringsToNull(except: [
        fn ($request) => $request->path() === 'foo/bar',
    ]);
})

Previously, you had to remove the ConvertEmptyStringsToNull middleware in the app/Http/Kernel.php file or do it on a per route basis.

Prevent string trimming in requests

To configure the middleware responsible for trimming strings, use the trimStrings() method in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->trimStrings(except: [
        '/foo',
    ]);
})

Previously, this was happening in the TrimStrings.php middleware file.