Even if the app only modifies data in response to a POST, it is still very trivial for a site
The hidden magic numbers in form submissions is one approach to solving this I never thought
I've just relied on the HTTP referer header: sans a bug in the user's browser, sites and
scripts cannot forge this header. Someone could trivially write their own utility or program
which performs HTTP requests with a forged referer (curl and wget both support setting this to
arbitrary values), but then they wouldn't have the proper authentication cookie.
Not the most robust solution nor all that ideal in theory, but it's Good Enough(tm) in