header('User-Agent')); // Only enforce this block in production if (! App::hasDebugModeEnabled()) { $blockedClients = ['postman', 'curl', 'insomnia']; foreach ($blockedClients as $client) { if (str_contains($requestAgent, $client)) { return response()->json(['message' => 'API clients are not allowed in production.'], 403); } } // Optional: Only allow browsers if (! str_contains($requestAgent, 'mozilla') && ! str_contains($requestAgent, 'chrome')) { return response()->json(['message' => 'Requests must come from a browser in production.'], 403); } } return $next($request); } }