Controller

Protect your AJAX controller action from malicious calls

If you are working with AJAX calls, you should at least verify where the calls are coming from.

if (strpos(Mage::helper('core/http')->getHttpReferer(), Mage::getBaseUrl()) === false)
{
    exit();
}

if (strpos(Mage::helper('core/http')->getHttpReferer(), Mage::getBaseUrl()) === false)

{

exit();

}

Please find the complete code on Gist.