ip(), $allowedIps, true)) { abort(403, 'IP not allowed.'); } $timestamp = (int) $request->header('X-Whmcs-Timestamp', 0); $signature = (string) $request->header('X-Whmcs-Signature', ''); $window = (int) config('hosting.whmcs.replay_window_seconds', 300); if ($timestamp === 0 || $signature === '') { abort(401, 'Missing WHMCS signature headers.'); } if (abs(time() - $timestamp) > $window) { abort(401, 'Request timestamp expired.'); } $payload = $timestamp.'.'.$request->getContent(); $expected = hash_hmac('sha256', $payload, $secret); if (! hash_equals($expected, $signature)) { abort(401, 'Invalid WHMCS signature.'); } return $next($request); } }