diff --git a/include/ajax.forms.php b/include/ajax.forms.php
index 41506c872f076bcc66d8582e1ef38bb4a462e4c0..9ca601e33020d9c0f3ea1e669bbc4d405217df5e 100644
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -15,6 +15,9 @@ class DynamicFormsAjaxAPI extends AjaxController {
     }
 
     function getFormsForHelpTopic($topic_id, $client=false) {
+        if (!$_SERVER['HTTP_REFERER'])
+            Http::response(403, 'Forbidden.');
+
         if (!($topic = Topic::lookup($topic_id)))
             Http::response(404, 'No such help topic');