diff --git a/modules/ppcp-wc-gateway/resources/js/gateway-settings.js b/modules/ppcp-wc-gateway/resources/js/gateway-settings.js
index 584ea5e5d..7d8132cfa 100644
--- a/modules/ppcp-wc-gateway/resources/js/gateway-settings.js
+++ b/modules/ppcp-wc-gateway/resources/js/gateway-settings.js
@@ -354,9 +354,8 @@ document.addEventListener(
             });
         }
 
-
-        (() => {
-            const props = PayPalCommerceGatewaySettings.ajax.refresh_feature_status;
+        // Logic to handle the "Check available features" button.
+        ((props) => {
             const $btn = jQuery(props.button);
 
             $btn.click(async () => {
@@ -388,7 +387,7 @@ document.addEventListener(
                 }
             });
 
-        })();
+        })(PayPalCommerceGatewaySettings.ajax.refresh_feature_status);
 
     }
 );
diff --git a/modules/ppcp-wc-gateway/src/Endpoint/RefreshFeatureStatusEndpoint.php b/modules/ppcp-wc-gateway/src/Endpoint/RefreshFeatureStatusEndpoint.php
index 8aa49946c..32b751634 100644
--- a/modules/ppcp-wc-gateway/src/Endpoint/RefreshFeatureStatusEndpoint.php
+++ b/modules/ppcp-wc-gateway/src/Endpoint/RefreshFeatureStatusEndpoint.php
@@ -78,19 +78,38 @@ class RefreshFeatureStatusEndpoint {
 		$last_request_time = $this->cache->get( self::CACHE_KEY ) ?: 0;
 		$seconds_missing   = $last_request_time + self::TIMEOUT - $now;
 
-		if ( $seconds_missing > 0 ) {
-			$response = array(
-				'message' => sprintf(
-				// translators: %1$s is the number of seconds remaining.
-					__( 'Wait %1$s seconds before trying again.', 'woocommerce-paypal-payments' ),
-					$seconds_missing
-				),
+		if ( ! $this->verify_nonce() ) {
+			wp_send_json_error(
+				array(
+					'message' => __( 'Expired request.', 'woocommerce-paypal-payments' ),
+				)
+			);
+		}
+
+		if ( $seconds_missing > 0 ) {
+			wp_send_json_error(
+				array(
+					'message' => sprintf(
+					// translators: %1$s is the number of seconds remaining.
+						__( 'Wait %1$s seconds before trying again.', 'woocommerce-paypal-payments' ),
+						$seconds_missing
+					),
+				)
 			);
-			wp_send_json_error( $response );
 		}
 
 		$this->cache->set( self::CACHE_KEY, $now, self::TIMEOUT );
 		do_action( 'woocommerce_paypal_payments_clear_apm_product_status', $this->settings );
 		wp_send_json_success();
 	}
+
+	/**
+	 * Verifies the nonce.
+	 *
+	 * @return bool
+	 */
+	private function verify_nonce(): bool {
+		$json = json_decode( file_get_contents( 'php://input' ), true );
+		return wp_verify_nonce( $json['nonce'] ?? null, self::nonce() ) !== false;
+	}
 }