Note: this is not secure. The HTTP header used by an authorized person could be sniffed and spoofed, and any security enforced by client-side javascript can be trivially bypassed or defeated by viewing and modifying the code.