Laravel - how to disable web middleware group for some routes in web.php without editing kernel or any other files?
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
Laravel: Disabling Web Middleware for Specific Routes in web.php Without Editing Kernel
As a senior developer working within restricted environments, especially those secured by Source Guardian, you often encounter situations where you need to customize routing and middleware application without having access to core configuration files like app/Http/Kernel.php. The challenge you face—adding routes defined in routes/web.php to an API group while bypassing the standard web middleware stack—is a common architectural hurdle.
This post explores how to achieve this goal within the constraints of modifying only web.php, focusing on practical, route-level control methods that adhere to Laravel best practices.
Understanding the Middleware Limitation
In a standard Laravel application, middleware groups (like web or api) are defined centrally in the app/Http/Kernel.php file. This central definition dictates which middleware (e.g., session handling, CSRF protection, encryption) is automatically applied to all routes within that group. Modifying these files directly is generally discouraged because it breaks encapsulation and makes future updates difficult.
However, since you are restricted to editing only routes/web.php, we must find a way to apply route-specific exceptions without altering the core kernel definitions. The solution lies in leveraging Laravel's ability to define middleware directly on individual routes or route groups within your route files.
The Solution: Route-Level Middleware Overrides
Since you cannot modify the global middleware groups, the most robust approach is to explicitly define the required middleware for each route or group directly inside routes/web.php. This allows you to selectively omit specific middleware components (like session handling or CSRF checks) for a subset of routes.
To achieve your goal of routing certain web-like endpoints through an API-style setup, you can define a custom middleware stack specifically for those routes.
Step-by-Step Implementation in web.php
Let's assume you want to define some routes that should behave like API routes (i.e., skip session/CSRF checks) but still live within the context of your web.php file.
You can use the middleware() method directly on the route definition:
<?php
use Illuminate\Support\Facades\Route;
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you define all of your web routes for your application.
|
*/
// Standard web routes (will use default web middleware)
Route::get('/', function () {
return view('welcome');
});
// --- Custom API-like Routes with Disabled Web Middleware ---
Route::middleware([])->group(function () {
// These routes will bypass the default 'web' middleware stack.
// You explicitly specify an empty array, effectively disabling all inherited web middleware.
Route::get('/api/public', function () {
return response()->json(['status' => 'public access']);
});
Route::post('/api/submit', function () {
// This route also skips session and CSRF checks.
return response()->json(['message' => 'Data submitted successfully via API bypass']);
});
});
// Other standard web routes follow...
Explanation of the Technique
- Direct Control: By using
Route::middleware([])->group(...), you are creating a local grouping mechanism within your route file. This group is explicitly configured to use an empty middleware stack, effectively disabling any inherited middleware from the mainwebgroup defined in the Kernel. - Isolation: This method isolates the behavior of these specific routes. They remain within the scope of
web.php, satisfying your constraint, but they are handled by a custom, lightweight application context instead of the full web stack. - Maintainability: While this bypasses the global configuration, it keeps the route definitions themselves clean and localized, which is a good practice when dealing with source-guarded files.
Architectural Considerations
When you need to handle distinct concerns (like traditional web views vs. API endpoints), a more advanced architectural approach involves creating separate route files entirely. While this is often the cleaner separation for large applications, if constraints force you to keep everything in web.php, applying specific middleware overrides as shown above is the most practical method.
Always remember that understanding where middleware is applied (via Kernel) versus how it is overridden (via Route definitions) is key to mastering Laravel's request lifecycle. For deeper dives into Laravel architecture and best practices, exploring resources from laravelcompany.com is highly recommended.
Conclusion
You successfully navigated the constraint of editing only routes/web.php. By utilizing the route-level middleware() definition, you can effectively create exceptions to the default web middleware group for specific routes, allowing you to treat them as API endpoints without needing access to the core kernel files. This demonstrates a practical way to manage routing constraints while respecting application security boundaries.