Theme

Unused Global Middleware Analyzer

Analyzer IDCategorySeverityTime To Fix
unused-global-middleware⚡ PerformanceLow10 minutes

What This Checks

Detects global middleware that runs on every request but provides no benefit due to missing configuration.

Specifically checks for:

MiddlewareFlagged whenLaravel versions
TrustProxiesNo proxies configured (property empty, no trustedproxy.proxies config)9–10
TrustHostsRegistered without TrustProxies (useless without it)9–10
HandleCorsNo paths configured in config/cors.php9–12

Laravel 11+

TrustProxies and TrustHosts are framework-level defaults in Laravel 11+ and are not flagged. Only HandleCors is checked.

Why It Matters

  • Performance: Unnecessary middleware adds latency to every request
  • Efficiency: Dead code wastes CPU cycles on every single HTTP request
  • Maintenance: Clutters the middleware stack with components that do nothing

How to Fix

HandleCors — configure paths or disable

The most common fix is to configure CORS properly rather than remove the middleware.

php
// config/cors.php
return [
    'paths' => ['api/*', 'sanctum/csrf-cookie'],
    // ...
];
php
// bootstrap/app.php
->withMiddleware(function (Middleware $middleware): void {
    $middleware->remove(\Illuminate\Http\Middleware\HandleCors::class);
})
php
// app/Http/Kernel.php
protected $middleware = [
    // Comment out or remove:
    // \Fruitcake\Cors\HandleCors::class,
];

TrustProxies — configure or remove (Laravel 9–10 only)

php
// app/Http/Middleware/TrustProxies.php
protected $proxies = '*'; // or specific IPs: ['192.168.1.1']
php
// app/Http/Kernel.php
protected $middleware = [
    // Comment out or remove:
    // \App\Http\Middleware\TrustProxies::class,
];

TrustHosts — add TrustProxies or remove (Laravel 9–10 only)

TrustHosts only works when TrustProxies is also registered and configured. Either configure TrustProxies alongside it, or remove both if you are not behind a proxy.

References

Copyright © 2026 ShieldCI