Position in Kernel.php middleware

Open zlem0815 opened this issue 7 months ago • 1 comments

Just a note, but perhaps useful for the installation instructions

added \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, als last entry in Kernel.php like:

protected $middleware = [ \App\Http\Middleware\TrustProxies::class, \Illuminate\Http\Middleware\HandleCors::class, \App\Http\Middleware\PreventRequestsDuringMaintenance::class, \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class, \App\Http\Middleware\TrimStrings::class, \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class, \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, ];

However, that did not work and the headers were not added. After moving SecureHeadersMiddleware to the first position, it worked. my working solution:

protected $middleware = [ \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, \App\Http\Middleware\TrustProxies::class, \Illuminate\Http\Middleware\HandleCors::class, \App\Http\Middleware\PreventRequestsDuringMaintenance::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class, \App\Http\Middleware\TrimStrings::class, \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class, ];

Jul 29 '25 20:07 zlem0815

Update: There is no issue with where '\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class' is placed.

Moreover, (at least) I have issues when: 'App\Http\Middleware\PreventRequestsDuringMaintenance::class' comes before 'Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class.'

In that case, secure headers are not added.

If I use the following order: (...) Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class; App\Http\Middleware\PreventRequestsDuringMaintenance::class, It works fine.

So it's most likely not a bepsvpt/secure-headers issue, and this issue can be closed.

Aug 01 '25 18:08 zlem0815