I just updated the script with a security check to make sure that the HTTP_REFERER matches the SERVER_NAME. It’s not bullet-proof, but hopefully it will add a little layer of security through obscurity. It does make it a little tougher to debug if you aren’t using something that automagically sends the HTTP_REFERER.
I’ll keep thinking about it to see if I can’t come up with a better solution.