Is this a necessary precaution?

Yes, this is the reason for captchas and user-logins. You should be actively thinking about how people can attack your app from both within and without a web browser.

If you're allowing your objects to be modified via POSTs, you should probably authenticate the call first. You have some sort of login system, right?