I'm making an AJAX call from example.com/js/script.js to example.com/inc/ajax.php and need to deny direct access to the PHP file if a user tries accessing it directly via their browser.
The accepted answer here suggests checking a HTTP header. The problem with that approach is headers can be easily spoofed.
How can check if an AJAX-called PHP file has been accessed directly and provide a 403 Forbidden response?