Jonathon suggested that POST-only checking is enough even with Javascript.
Of course if you allow javascript, then you can issue multiple document.write statements to build a form and then submit that form.
If you forceably eliminate javascript, then post only checking should be sufficient? It's certainly more easily do-able than the other suggestions.
I also like Jonathon's method of putting a big ns_rand into an nsv of allowed "keys" and popping it out in the relevant admin pages.
Let's keep it simple if we can!
<Mark madly checks all his oacs sites for insecure antispam settings...>
