Laravel Cloud Network

​

Introduction

Laravel Cloud manages all aspects of networking in order to bring enterprise-grade speed, security, and scalability to any Laravel application. There are two main layers to the Cloud’s networking infrastructure: the Cloud Edge Network and the Cloud Compute Network.

​

Cloud Edge Network

Laravel Cloud has partnered with Cloudflare to offer every application globally distributed caching and network security at the edge.

Incoming HTTP requests are first routed to the nearest edge region (335 cities around the world), pass through DDoS mitigation and Web Application Firewall (WAF) security layers, and are either returned from the cache (if available) or passed on to the Cloud Compute Network to be routed to your aplication’s compute cluster.

​

Cache Control

An important function of the Cloud Edge Network is caching your application’s static assets. This has two key benefits: it reduces the number of requests that your application’s compute needs to handle and it decreases latency for your users.

Laravel Cloud optimizes your CDN cache through a two-step approach. First, Cloud uses a long cache lifespan to ensure your static assets are served at the edge as much as possible. Second, Cloud clears the CDN cache automatically on every deployment to ensure that no stale files accidentally remain in the cache. Combined, these two steps offer an efficient and safe approach to CDN caching.

By default, Laravel Cloud caches files with the following extensions:

7Z, APK, AVI, AVIF, BIN, BMP, BZ2, CLASS, CSS, CSV, DMG, DOC, DOCX, EJS, EOT, EPS, EXE, FLAC, GIF, GZ, ICO, ISO, JAR, JPEG, JPG, JS, MID, MIDI, MKV, MP3, MP4, OGG, OTF, PDF, PICT, PLS, PNG, PPT, PPTX, PS, RAR, SVG, SVGZ, SWF, TAR, TIF, TIFF, TTF, WEBM, WEBP, WOFF, WOFF2, XLS, XLSX, ZIP, ZST

When a Cache-Control directive or Expires header is not explicitly set, Laravel Cloud will use the HTTP status code to determine the cache duration.

All other status codes are not cached by default.

You are free to override the default cache rules by setting your own Cache-Control and Expires headers in your application code. Laravel Cloud will respect these headers and cache your assets according to the rules you set.

Certain headers set by your application can prevent Laravel Cloud from caching a response.

• The Set-Cookie header will prevent caching.
• The Authorization header will prevent caching (unless a must-revalidate, public, or s-maxage header is also present).

To reduce the risk of stale files being served from the cache, Laravel Cloud enables the “Purge edge cache on deploy” setting for your environment by default. You can disable this setting by clicking on the “Edge network” card from your environment’s canvas. From there, you can also manually purge the cache or even bypass the cache entirely.

​

Response Headers

Laravel Cloud allows you to easily configure a number of security headers that will be set on every response. You can modify the defaults by clicking on the “Edge network” card from your environment’s canvas and selecting the desired option. You can also override the default headers by setting them directly in your application code.

​

X-Frame-Options

By default, Laravel Cloud will set an X-Frame-Options: DENY header. This prevents certain types of attacks that can occur if an application is loaded from an iframe. If your application has a use case for allowing iframes, you can change the header value to SAMEORIGIN or you can unset it entirely by clicking “Edge network” from the environment’s canvas.

​

X-Content-Type-Options

By default, Laravel Cloud will set an X-Content-Type-Options: nosniff header. This prevents browsers from interpreting files as a different MIME type than what is specified in the Content-Type header. This is a security measure to prevent attacks based on MIME-type confusion. If your application has a use case for allowing browsers to interpret files as a different MIME type, you can unset the header entirely by clicking “Edge network” from the environment’s canvas and selecting “None”.

​

Strict-Transport-Security

HSTS is disabled by default but can be enabled with a simple toggle. When enabled, Laravel Cloud will set a Strict-Transport-Security header with a max-age of 31536000 seconds (1 year - customizable). This header is used to enforce secure (HTTPS) connections to the server.

You can also optionally enable the includeSubDomains and preload directives. The includeSubDomains directive applies the HSTS policy to all subdomains of your application, while the preload directive allows your domain to be included in browsers’ HSTS preload lists. This means that browsers will automatically enforce HTTPS for your domain and its subdomains, even before the first request is made. Make sure you understand the implications of these directives before enabling them, as it can be difficult to remove once set due to browser caching.

​

X-Robots-Tag

Since Laravel Cloud domains are often used for testing and staging purposes, a X-Robots-Tag: noindex, nofollow header is automatically set on all *.laravel.cloud domains so that they are not indexed by search engines. To remove this header, you should configure a custom domain for your application. The header will not be set for custom domains.

​

Cloud Compute Network

Requests that need to be processed by your application will be routed to the Compute Network in the AWS region assigned to your Laravel Cloud application.

The Cloud Compute Network is built for security and scale. Your applications run in private networks and are only made publicly accessible via the Cloud Edge Network. Compute clusters are distributed across multiple availability zones (AZs) to ensure regions remain stable and recover quickly from any interruptions in a single zone.

Compute Network traffic is also intelligently load balanced across all instances in your compute cluster as you horizontally scale up or down.