Is this a necessary precaution?

Yes, this is the reason for captchas and user-logins. You should be
actively thinking about how people can attack your app from both
within and without a web browser.

If you're allowing your objects to be modified via POSTs, you should
probably authenticate the call first. You have some sort of login
system, right?