[eluser]Georgi Budinov[/eluser]
If you still need that check , the environment variable is set only if you use some javascript library - jquery, prototype, yui.
If you use you your own javascript utility for xhttprequests, you should be able to set the headers.
UPDATE: As I think a little more on your idea ... you can set addition xhttprequest parameter that you are the only one you know and check for it in the php controller. This makes it even a little harder for the user to make such manipulations by hand