Global, route-level, and group middleware
Concept
Middleware in Laravel is registered at three levels: global (every request), group (named set of middleware), and route-level (specific routes or groups of routes).
Global middleware (in App\Http\Kernel's $middleware array): Runs on EVERY request, including requests to routes that don't exist. Examples: TrustProxies, PreventRequestsDuringMaintenance. Use sparingly — anything here adds latency to every request.
Middleware groups ($middlewareGroups): Named sets of middleware. Laravel defines web and api groups. web includes session, CSRF, cookies. api includes ThrottleRequests and SubstituteBindings. Applied to route groups in RouteServiceProvider.
Route-level middleware ($middlewareAliases formerly $routeMiddleware): Named individual middleware that can be applied to specific routes or groups. 'auth' => \App\Http\Middleware\Authenticate::class. Applied via ->middleware('auth').
Applying to routes:
Route::get('/admin', ...)->middleware('auth');
Route::get('/admin', ...)->middleware(['auth', 'role:admin']);
Route::middleware(['auth', 'verified'])->group(fn() => Route::get('/dashboard', ...));Laravel 11 changes: The HTTP Kernel was significantly simplified. In Laravel 11, middleware configuration moved from App\Http\Kernel.php to bootstrap/app.php using a fluent API: $app->withMiddleware(function(Middleware $m) { ... }).
Code Example
<?php
// app/Http/Kernel.php (Laravel ≤ 10)
namespace App\Http;
class Kernel extends \Illuminate\Foundation\Http\Kernel
{
// GLOBAL middleware — runs on every request
protected $middleware = [
\App\Http\Middleware\TrustProxies::class,
\Illuminate\Http\Middleware\HandleCors::class,
\App\Http\Middleware\PreventRequestsDuringMaintenance::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
];
// MIDDLEWARE GROUPS
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
\Illuminate\Routing\Middleware\ThrottleRequests::class . ':api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
// NAMED (route-level) MIDDLEWARE
protected $middlewareAliases = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'role' => \App\Http\Middleware\RequireRole::class, // custom
'subscription' => \App\Http\Middleware\CheckSubscription::class, // custom
];
}// Laravel 11 — bootstrap/app.php
return Application::configure(basePath: dirname(__DIR__))
->withMiddleware(function (\Illuminate\Foundation\Configuration\Middleware $middleware) {
$middleware->append(\App\Http\Middleware\MeasureRequestTime::class); // global
$middleware->api(prepend: [\App\Http\Middleware\AddApiHeaders::class]); // api group
$middleware->alias(['role' => \App\Http\Middleware\RequireRole::class]); // named
})
->create();