diff --git a/common.php b/common.php
index b0a27f4c0..9be250830 100644
--- a/common.php
+++ b/common.php
@@ -198,6 +198,11 @@ switch ($bb_cfg['datastore_type']) {
         $datastore = new TorrentPier\Legacy\Datastore\File($bb_cfg['cache']['db_dir'] . 'datastore/', $bb_cfg['cache']['prefix']);
 }
 
+function is_ajax(): bool
+{
+    return (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
+}
+
 function sql_dbg_enabled()
 {
     return (SQL_DEBUG && DBG_USER && !empty($_COOKIE['sql_log']));
diff --git a/library/includes/init_bb.php b/library/includes/init_bb.php
index dfe2f88e5..825ae4da0 100644
--- a/library/includes/init_bb.php
+++ b/library/includes/init_bb.php
@@ -147,6 +147,7 @@ define('SEARCH_TYPE_TRACKER', 1);
 // Ajax error codes
 define('E_AJAX_GENERAL_ERROR', 1000);
 define('E_AJAX_NEED_LOGIN', 1001);
+define('E_AJAX_NOT_REQUEST', 1002);
 
 // Private messaging
 define('PRIVMSGS_READ_MAIL', 0);
diff --git a/src/Legacy/Ajax.php b/src/Legacy/Ajax.php
index fbae127cd..f779a72da 100644
--- a/src/Legacy/Ajax.php
+++ b/src/Legacy/Ajax.php
@@ -74,6 +74,10 @@ class Ajax
         // Action params
         $action_params = null;
 
+        if (!is_ajax()) {
+            $this->ajax_die('Not AJAX request', E_AJAX_NOT_REQUEST);
+        }
+
         if (!$action || !\is_string($action)) {
             $this->ajax_die('no action specified');
         } elseif (!$action_params =& $this->valid_actions[$action]) {