spatie · sebastiandedeyne · Apr 4, 2025 · Mar 26, 2025 · Mar 26, 2025
diff --git a/src/AddCspHeaders.php b/src/AddCspHeaders.php
@@ -4,6 +4,7 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Vite;
 use Symfony\Component\HttpFoundation\Response;
 
 class AddCspHeaders
@@ -19,8 +20,8 @@ public function handle(
             return $response;
         }
 
-        // Skip CSP middleware when Laravel is rendering an exception
-        if (config('app.debug') && $response->isServerError()) {
+        // Skip CSP middleware when Laravel is rendering an exception or Vite is hot reloading
+        if (config('app.debug') && ($response->isServerError() || Vite::isRunningHot())) {
             return $response;
         }
 

diff --git a/tests/AddCspHeadersTest.php b/tests/AddCspHeadersTest.php
@@ -1,7 +1,9 @@
 <?php
 
 use Illuminate\Contracts\Http\Kernel;
+use Illuminate\Foundation\Vite;
 use Illuminate\Support\Facades\Route;
+use Mockery\MockInterface;
 use function PHPUnit\Framework\assertEquals;
 use function PHPUnit\Framework\assertFalse;
 use function PHPUnit\Framework\assertNull;
@@ -331,6 +333,22 @@ public function configure(Policy $policy): void
     assertFalse($headers->has('content-security-policy'));
 });
 
+test('route middleware is skipped when vite is hot reloading', function (): void {
+    config(['app.debug' => true]);
+
+    $this->mock(Vite::class, function (MockInterface $mock): void {
+        $mock->shouldReceive('isRunningHot')->andReturn(true);
+    });
+
+    Route::get('other-route', function () {
+        return 'ok';
+    })->middleware(AddCspHeaders::class.':'.Basic::class);
+
+    $headers = getResponseHeaders('other-route');
+
+    assertFalse($headers->has('content-security-policy'));
+});
+
 it('will handle scheme values', function (): void {
     $policy = new class implements Preset {
         public function configure(Policy $policy): void