Middleware in Laravel

⏱ Estimated reading time: 2 min

Middleware in Laravel act as a filter between an incoming HTTP request and the application’s response. They allow you to inspect, modify, or reject requests before they reach controllers, making them essential for tasks like authentication, authorization, logging, and request validation.

1. What Is Middleware?

Middleware are classes that handle HTTP requests before or after the controller is executed.

Request flow:

Request → Middleware → Controller → Response

Common uses:

• Authentication checks

• Authorization

• CSRF protection

• Logging requests

• Maintenance mode checks

2. Default Middleware in Laravel

Laravel includes built-in middleware such as:

• auth – Ensures the user is authenticated

• guest – Redirects authenticated users

• verified – Email verification

• throttle – Rate limiting

• csrf – Prevents cross-site request forgery

These are registered automatically.

3. Creating Custom Middleware

Create middleware using Artisan:

php artisan make:middleware CheckAge

File location:

app/Http/Middleware/CheckAge.php

4. Middleware Structure

Example middleware:

public function handle($request, Closure $next)
{
    if ($request->age < 18) {
        return redirect('home');
    }

    return $next($request);
}

• $request → Incoming request

• $next($request) → Pass request forward

5. Registering Middleware

Middleware are registered in app/Http/Kernel.php.

Route Middleware

protected $routeMiddleware = [
    'age' => \App\Http\Middleware\CheckAge::class,
];

6. Applying Middleware to Routes

Single Route

Route::get('/profile', function () {
    return view('profile');
})->middleware('auth');

Route Group

Route::middleware(['auth', 'verified'])->group(function () {
    Route::get('/dashboard', function () {
        return view('dashboard');
    });
});

7. Applying Middleware to Controllers

Apply middleware inside a controller:

public function __construct()
{
    $this->middleware('auth');
}

Exclude methods:

$this->middleware('auth')->except(['index']);

8. Global Middleware

Global middleware run on every request.

Defined in Kernel.php:

protected $middleware = [
    \App\Http\Middleware\TrustProxies::class,
];

9. Middleware Parameters

Middleware can accept parameters:

Route::get('/admin', function () {
    //
})->middleware('role:admin');

Middleware class:

public function handle($request, Closure $next, $role)
{
    if ($request->user()->role !== $role) {
        abort(403);
    }
    return $next($request);
}

10. Terminable Middleware

Middleware can run logic after the response:

public function terminate($request, $response)
{
    // Logging or cleanup
}

Conclusion

Middleware in Laravel provide a powerful mechanism to control request flow and application security. By using built-in and custom middleware, developers can keep controllers clean, enforce rules consistently, and build secure, maintainable applications.