Set a password so that access is only possible if a POST request is made with a password.

How to disable user access to ajax?

A few ideas, as they get more complex:

1. Leave this thing. Everything that is somehow transmitted to the browser can be received bypassing the developer's intent.
   
2. Go to HTTP POST request. With a GET request of the same URL (opened directly in the browser /chat.php- return a stub, or, better, a redirect to the main.
   
3. When accessed from JS, add an HTTP header. To chat.phpcheck for its presence.
   
4. When loading a page, create-transmit a unique session identifier from the server. Use it in the header of ajax requests and check inchat.php
   
5. Switch to WebSocket: after all, the chat should be in real time)