Some sites use a "crumb" which is a short string of characters that the server can only send. When the client sends any data back to the server, it appends this crumb. The crumb only works for a few minutes (basically the life of that session) and then becomes invalid. Hackers cannot break this as easily because they wont know at any given time which crumb is valid and cannot generate them client side. What this would mean is that while a dedicated hacker might be able to spoof your ajax for a few mins given the current crumb, this door closes quickly and prevents them from doing it "whenever".
browser asks for game
server sends game and a crumb
browser saves crumb
browser wants to write some data back to the server
browser sends crumb along with request.
server validates the crumb and accepts the request -or- server invalidates the request because of a bad crumb