Any way to validate in PHP if a page load is from inside webplayer, or a browser?
Other than User Agent.
Trying to lock down backend access to prevent scripting tools being written to intercept game data.
I don’t think it will be possible. The web player uses the browser for all requests, so I would expect you would see the browser as the UA in all cases.