This package is abandoned and no longer maintained. The author suggests using the laravel/framework package instead.

A middleware to protect your work in progress from prying eyes

2.7.3 2023-01-19 17:16 UTC

This package is auto-updated.

Last update: 2024-03-08 15:09:27 UTC


Latest Version on Packagist Software License Total Downloads

Imagine you are working on a new app. Your client wants to see the progress that you've made. However your site isn't ready for prime time yet. Sure, you could create some login functionality and display the site only to logged in users. But why bother creating users when there is a more pragmatic approach?

This package provides a route middleware to protected routes from prying eyes. All users that visit a protected route will be redirect to a configurable url (e.g. /under-construction). This is also the case when a user attempts to access an unknown route. To view the content of the routes a visitor must first visit a url that grants access (e.g. /demo).

A word to the wise: do not use this package to restrict access to sensitive data or to protect an admin section. For those cases you should use proper authentication.

Spatie is a webdesign agency based in Antwerp, Belgium. You'll find an overview of all our open source projects on our website.


If you're on Laravel 8 or higher, use Laravel's built in php artisan down command to activate demo mode. You don't need this package for that.

Support us


We invest a lot of resources into creating best in class open source packages. You can support us by buying one of our paid products.

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on our contact page. We publish all received postcards on our virtual postcard wall.


You can install the package via composer:

composer require spatie/laravel-demo-mode

The Spatie\DemoMode\DemoModeServiceProvider::class service provider will be auto registered.

The \Spatie\DemoMode\DemoMode::class-middleware must be registered in the kernel:


protected $routeMiddleware = [
  'demoMode' => \Spatie\DemoMode\DemoMode::class,

Naming the route middleware DemoMode is just a suggestion. You can give it any name you'd like.

You must publish the config file:

php artisan vendor:publish --provider="Spatie\DemoMode\DemoModeServiceProvider"

This is the content of the published config file demo-mode.php:

return [

     * This is the master switch to enable demo mode.
    'enabled' => env('DEMO_MODE_ENABLED', true),

     * Visitors browsing a protected url will be redirected to this path.
    'redirect_unauthorized_users_to_url' => '/under-construction',

     * After having gained access, visitors will be redirected to this path.
    'redirect_authorized_users_to_url' => '/',

     * The following IP's will automatically gain access to the
     * app without having to visit the `demoAccess` route.
    'authorized_ips' => [

     * When strict mode is enabled, only IP's listed in `authorized_ips` will gain access.
     * Visitors won't be able to gain access by visiting the `demoAccess` route anymore.
    'strict_mode' => false,

If you want to use the demoAccess route you must call the demoAccess route macro in your routes file.


Visiting /demo will grant access to the pages protected by demo mode. Of course you can choose any url you'd like.

If you want to automatically authorize certain IP addresses you can add them in the authorized_ips array in the demo-mode.php config file.

To disable the demoAccess route and only allow access to the authorized_ips you can enable strict_mode in the demo-mode.php config file.


You can protect some routes by using the demoMode-middleware on them.

//only users who have previously visited "/demo" will be able to see these pages.

Route::group(['middleware' => 'demoMode'], function () {
    Route::get('/secret-route', function() {
        echo 'Hi!';

Unless you visit the url used by the demoAccess route macro first or from an authorized IP address, visiting these routes will result in a redirect in to the url specified in the redirect_unauthorized_users_to_url-key of the config file.

An authenticated user has access to all protected routes too.

Because it uses session to verify the user, both demoAccess route and protected routes must have the web middleware, or having the \Illuminate\Session\Middleware\StartSession middleware to be able to authorize a user that is either not authenticated or not visiting from an authorized IP.


Please see CHANGELOG for more information what has changed recently.


composer test


Please see CONTRIBUTING for details.


If you've found a bug regarding security please mail instead of using the issue tracker.



The MIT License (MIT). Please see License File for more information.