further reading: 'Would it be more secure if API endpoints for Collections would wrap the JSON serialized Arrays inside an Object literal?'

https://github.com/documentcloud/backbone/issues/201

ultimately you should use tokens to verify the request was not forged.