Introduction

Laravel Cloud manages all aspects of networking in order to bring enterprise-grade speed, security, and scalability to any Laravel application. There are two main layers to the Cloud’s networking infrastructure: the Cloud Edge Network and the Cloud Compute Network.

Cloud Edge Network

Laravel Cloud has partnered with Cloudflare to offer every application globally distributed caching and network security at the edge. Incoming HTTP requests are first routed to the nearest edge region (335 cities around the world), pass through DDoS mitigation and Web Application Firewall (WAF) security layers, and are either returned from the cache (if available) or passed on to the Cloud Compute Network to be routed to your application’s compute cluster.

Cache Control

An important function of the Cloud Edge Network is caching your application’s static assets. This has two key benefits: it reduces the number of requests that your application’s compute needs to handle and it decreases latency for your users. Laravel Cloud optimizes your CDN cache through a two-step approach. First, Cloud uses a long cache lifespan to ensure your static assets are served at the edge as much as possible. Second, Cloud clears the CDN cache automatically on every deployment to ensure that no stale files accidentally remain in the cache. Combined, these two steps offer an efficient and safe approach to CDN caching. By default, Laravel Cloud caches files with the following extensions: 7Z, APK, AVI, AVIF, BIN, BMP, BZ2, CLASS, CSS, CSV, DMG, DOC, DOCX, EJS, EOT, EPS, EXE, FLAC, GIF, GZ, ICO, ISO, JAR, JPEG, JPG, JS, MID, MIDI, MKV, MP3, MP4, OGG, OTF, PDF, PICT, PLS, PNG, PPT, PPTX, PS, RAR, SVG, SVGZ, SWF, TAR, TIF, TIFF, TTF, WEBM, WEBP, WOFF, WOFF2, XLS, XLSX, ZIP, ZST When a Cache-Control directive or Expires header is not explicitly set, Laravel Cloud will use the HTTP status code to determine the cache duration.
HTTP Status CodeDefault TTL
200, 206, 301120m
302, 30320m
404, 4103m
All other status codes are not cached by default. You are free to override the default cache rules by setting your own Cache-Control and Expires headers in your application code. Laravel Cloud will respect these headers and cache your assets according to the rules you set. Certain headers set by your application can prevent Laravel Cloud from caching a response.
  • The Set-Cookie header will prevent caching.
  • The Authorization header will prevent caching (unless a must-revalidate, public, or s-maxage header is also present).
To reduce the risk of stale files being served from the cache, Laravel Cloud enables the “Purge edge cache on deploy” setting for your environment by default. You can disable this setting by clicking on the “Edge network” card from your environment’s canvas. From there, you can also manually purge the cache or even bypass the cache entirely.
Bypassing the cache will result in all requests being sent to your application, which may increase latency and load on your compute cluster. This is not recommended unless you are debugging a specific issue.

Response Headers

Laravel Cloud allows you to easily configure a number of security headers that will be set on every response. You can modify the defaults by clicking on the “Edge network” card from your environment’s canvas and selecting the desired option. You can also override the default headers by setting them directly in your application code.

X-Frame-Options

By default, Laravel Cloud will set an X-Frame-Options: DENY header. This prevents certain types of attacks that can occur if an application is loaded from an iframe. If your application has a use case for allowing iframes, you can change the header value to SAMEORIGIN or you can unset it entirely by clicking “Edge network” from the environment’s canvas.

X-Content-Type-Options

By default, Laravel Cloud will set an X-Content-Type-Options: nosniff header. This prevents browsers from interpreting files as a different MIME type than what is specified in the Content-Type header. This is a security measure to prevent attacks based on MIME-type confusion. If your application has a use case for allowing browsers to interpret files as a different MIME type, you can unset the header entirely by clicking “Edge network” from the environment’s canvas and selecting “None”.
If you select the “None” option for the X-Content-Type-Options header, your application can override the default and set a nosniff value at the route level. However, the the opposite is not true: if you select the nosniff option, your application cannot unset the value.

Strict-Transport-Security

HSTS is disabled by default but can be enabled with a simple toggle. When enabled, Laravel Cloud will set a Strict-Transport-Security header with a max-age of 31536000 seconds (1 year - customizable). This header is used to enforce secure (HTTPS) connections to the server. You can also optionally enable the includeSubDomains and preload directives. The includeSubDomains directive applies the HSTS policy to all subdomains of your application, while the preload directive allows your domain to be included in browsers’ HSTS preload lists. This means that browsers will automatically enforce HTTPS for your domain and its subdomains, even before the first request is made. Make sure you understand the implications of these directives before enabling them, as it can be difficult to remove once set due to browser caching.

X-Robots-Tag

Since Laravel Cloud domains are often used for testing and staging purposes, a X-Robots-Tag: noindex, nofollow header is automatically set on all *.laravel.cloud domains so that they are not indexed by search engines. To remove this header, you should configure a custom domain for your application. The header will not be set for custom domains.

Cloud Compute Network

Requests that need to be processed by your application will be routed to the Compute Network in the AWS region assigned to your Laravel Cloud application. The Cloud Compute Network is built for security and scale. Your applications run in private networks and are only made publicly accessible via the Cloud Edge Network. Compute clusters are distributed across multiple availability zones (AZs) to ensure regions remain stable and recover quickly from any interruptions in a single zone. Compute Network traffic is also intelligently load balanced across all instances in your compute cluster as you horizontally scale up or down.

Web Application Firewall

The Web Application Firewall (WAF) provides advanced protection for your Laravel Cloud applications by filtering and monitoring HTTP traffic between your application and the Internet.

Under Attack Mode

If your application is experiencing a large-scale attack or suspicious traffic spikes, you can enable “Under Attack Mode” in the Edge network settings for your environment. When activated:
  • All incoming traffic to your environment is filtered through additional Cloudflare security checks designed to mitigate layer 7 DDoS attacks.
  • Visitors will see an interstitial “Checking your browser before accessing…” page and must pass a JavaScript challenge, which typically takes no more than 5 seconds.
  • Validated users are allowed through, while suspicious or automated traffic is blocked.
  • Under Attack Mode is intended as a last resort during active threats and may temporarily pause access to your site and impact your site analytics.
  • This mode will automatically expire after 24 hours to ensure normal access is restored.
  • Browsers must support JavaScript to pass the challenge; some third-party analytics tools may be affected.
Enabling Under Attack Mode may temporarily impact the user experience for legitimate visitors due to the additional security checks. Use this mode only when necessary.