I've been known to put the following code in a script in an attempt to guarantee it not be run from a browser.

localonly();
...
...
...

sub localonly {
   if ($ENV{'SCRIPT_FILENAME'}) {
      die "localonly -- $ENV{'REMOTE_ADDR'}";
   }
}
[download]

This seems to work.
But, I'd be curious if there's any feedback on exploits which can get around the SCRIPT_FILENAME or perhaps a better way to do this.

Claude