aporat / laravel-api-middleware
A Laravel package for API middleware including trust proxies, SSL, and no-cache.
Fund package maintenance!
aporat
Requires
- php: ^8.4
- illuminate/support: ^10.0|^11.0|^12.0
Requires (Dev)
- laravel/pint: ^1.0
- orchestra/testbench: ^9.0|^10.0
- phpunit/phpunit: ^12.0
README
A Laravel package providing middleware for API enhancement, including trust proxies, no-cache enforcement, and SSL requirement validation.
A Laravel package offering middleware to enhance API security and performance with trust proxies, cache prevention, and SSL enforcement.
Requirements
- PHP: 8.4 or higher
- Laravel: 11.x, 12.x
Installation
Install the package via Composer:
composer require aporat/laravel-api-middleware
The service provider (ApiMiddlewareServiceProvider) is automatically registered via Laravel's package discovery. If auto-discovery is disabled, add it to config/app.php:
'providers' => [ // ... Aporat\\Laravel\\ApiMiddleware\\ApiMiddlewareServiceProvider::class, ],
Publish the configuration file:
php artisan vendor:publish --provider="Aporat\\Laravel\\ApiMiddleware\\ApiMiddlewareServiceProvider" --tag="config"
This copies `api-middleware.php` to your config/ directory.
Configuration
Edit `config/api-middleware.php` to customize the middleware settings:
<?php return [ 'trust_proxies' => [ 'proxies' => ['127.0.0.1', '10.0.0.0/24', '10.0.0.0/8'], 'headers' => \\Symfony\\Component\\HttpFoundation\\Request::HEADER_X_FORWARDED_AWS_ELB, ], 'no_cache' => [ 'cache_control' => 'no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0', 'pragma' => 'no-cache', ], 'ssl_required' => [ 'except_routes' => ['/ping'], 'except_environments' => ['development', 'local'], ], ];
trust_proxies: Defines trusted proxy IPs or CIDR ranges and headers for proxy trust (e.g., AWS ELB).no_cache: SetsCache-ControlandPragmaheaders to prevent caching.ssl_required: Configures routes and environments exempt from SSL enforcement.
Usage
Middleware
Apply the middleware to routes using their aliases:
// routes/api.php Route::middleware(['trust.proxies', 'no.cache', 'ssl.required'])->get('/test', function () { return response()->json(['message' => 'API Enhanced!']); });
trust.proxies: Trusts specified proxies for accurate request data (e.g., IP addresses).no.cache: Prevents caching of API responses.ssl.required: Enforces HTTPS, throwing an exception for non-secure requests (except exempted routes/environments).
Manual Instantiation
Resolve an instance with custom settings in a controller or service:
use Aporat\\Laravel\\ApiMiddleware\\TrustProxies; use Aporat\\Laravel\\ApiMiddleware\\NoCache; use Aporat\\Laravel\\ApiMiddleware\\SSLRequired; $trustProxies = new TrustProxies(['192.168.1.1']); $noCache = new NoCache('no-cache, max-age=0', 'no-store'); $sslRequired = new SSLRequired(['/custom'], ['testing']); $response = $trustProxies->handle($request, function ($req) use ($noCache, $sslRequired) { return $noCache->handle($req, function ($req) use ($sslRequired) { return $sslRequired->handle($req, fn($req) => response()->json(['message' => 'API Enhanced!'])); }); });
Or use dependency injection (requires binding adjustment in the service provider):
use Aporat\\Laravel\\ApiMiddleware\\TrustProxies; use Illuminate\\Http\\Request; class ApiController extends Controller { public function handleRequest(Request $request, TrustProxies $trustProxies) { return $trustProxies->handle($request, fn($req) => response()->json(['message' => 'Proxies Trusted!'])); } }
Testing
Run the package's unit tests:
vendor/bin/phpunit
With coverage:
vendor/bin/phpunit --coverage-text --coverage-clover coverage.xml --log-junit junit.xml
Requires Xdebug or PCOV for coverage reports.
Contributing
Contributions are welcome! Please:
- Fork the repository.
- Create a feature branch (
git checkout -b feature/your-feature). - Commit your changes (
git commit -m 'Add your feature'). - Push to the branch (
git push origin feature/your-feature). - Open a pull request.
License
This package is open-sourced under the MIT License. See the LICENSE file for details.