Fact: I have middleware performing authentication (in this case, my CAS authentication middleware) Need: This middleware should apply to client-facing SPA-rendered views, which are requested via GET. Constraint: This middleware does NOT apply to non-get routes (which are headless so the authentication must be handled differently) Constraint: There exist headless GET routes, too, which should not be CAS authenticated Constraint: Individual routes may have a CAS-authenticated GET response, as well as non-CAS POST, PATCH, and DELETE responses Reitit allowed me to specify middleware on a delightfully granular level to solve this.