Is there a reliable way to check that incoming ajax calls that map to action methods in a ASP.NET MVC controller are made only by the web application itself?
Use AntiforgeryToken to validate AJAX call from web application itself, you can also use attribute to achive functionality.
Please Refer : https://stackoverflow.com/a/38893962/6606630