kulakpos_web/public/restaurant/app/Http/Middleware/VerifyTokenOrigin.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\App;
use Symfony\Component\HttpFoundation\Response;

class VerifyTokenOrigin
{
    public function handle(Request $request, Closure $next): Response
    {
        $requestAgent = strtolower($request->header('User-Agent'));
        // Only enforce this block in production
        if (! App::hasDebugModeEnabled()) {
            $blockedClients = ['postman', 'curl', 'insomnia'];

            foreach ($blockedClients as $client) {
                if (str_contains($requestAgent, $client)) {
                    return response()->json(['message' => 'API clients are not allowed in production.'], 403);
                }
            }

            // Optional: Only allow browsers
            if (! str_contains($requestAgent, 'mozilla') && ! str_contains($requestAgent, 'chrome')) {
                return response()->json(['message' => 'Requests must come from a browser in production.'], 403);
            }
        }

        return $next($request);
    }
}