README

LaravelResponseEncryption is a Laravel package that automatically encrypts all API responses using Laravel's built-in encryption system. It's perfect when you want to ensure sensitive data is securely transferred between your backend and frontend — with optional client-side decryption.

Features

• 🔒 Encrypts all JSON API responses automatically
• 🛠 Easily exclude specific routes from encryption
• ⚡ Lightweight and fast (middleware-based)
• 🔄 Optional frontend decryption helper
• ⚙️ Fully configurable (enabled, content types, exceptions)
• 🛡️ Built on Laravel’s native Crypt system (AES-256-CBC)

Installation

Install the package via Composer:

composer require usman-ahmed/laravel-response-encryption

Then publish the config file:

php artisan vendor:publish --provider="UsmanAhmed\LaravelResponseEncryption\ResponseEncryptionServiceProvider" --tag=response-encryption-config --force

Service Provider (Optional Manual Registration)

register the service provider manually in your:

'providers' => [
    // Other Service Providers

    \UsmanAhmed\LaravelResponseEncryption\ResponseEncryptionServiceProvider::class,
],

How It Works

Once the package is installed and enabled, it will automatically encrypt all responses (e.g., from APIs) that have application/json as their content type.

The encryption uses Laravel's Crypt::encrypt() behind the scenes.

Excluding Routes from Encryption

You can exclude specific routes from being encrypted using one of the following methods:

1. Use withoutMiddleware in Route Definition

use \UsmanAhmed\LaravelResponseEncryption\Http\Middleware\EncryptResponses;

Route::get('/api/unencrypted', function () {
    return response()->json(['status' => 'ok']);
})->withoutMiddleware([EncryptResponses::class]);

2. Define Exclusions in Config File

Open config/response-encryption.php and add the paths you want to exclude:

'except' => [
    'api/v1/public/*',
    'health',
    'ping',
    'countries/list',

    ...(env('APP_ENV') === 'local' ? ['_debugbar/*'] : []),
],

3. Exclude Routes Programmatically in AppServiceProvider

use UsmanAhmed\LaravelResponseEncryption\Facades\ResponseEncryption;

public function boot()
{
    ResponseEncryption::excludeRoutes([
        'api/legacy/v' . config('app.api_version'),
    ]);
}

Optional: Client-Side Decryption

The encrypted response is a base64-encoded encrypted string. You can decrypt it on the frontend using the same key and cipher as Laravel (AES-256-CBC).

⚠️ Note: You are responsible for managing and protecting the encryption key on the client side.

Config Options (config/response-encryption.php)

return [

    'enabled' => env('RESPONSE_ENCRYPTION_ENABLED', true),

    'content_types' => [
        'application/json',
    ],

    'except' => [
        'api/v1/public/*',
        'health',
        'ping',
        'countries/list',
    ],
];

You can also disable the whole package by setting in .env:

RESPONSE_ENCRYPTION_ENABLED=false

License

MIT License

Author

UsmanAhmed
GitHub: https://github.com/USmanFathy

Contributing

Pull requests are welcome. Please follow Laravel’s coding standards.