I don't think it's just a matter of authorization. I think you would have to use something like anti-forgery tokens to prevent automated scripting of http requests.