[wickedlogic]

If you are utilizing json-rpc anywhere in your stack, you should be authenticating every request via your transport(s), or the payload itself with JWT (or the like). To not do this, is to trust the world.

This is true over http and browsers, as well as internal servers, sockets, and cross frame communication. There are no such things as trusted internal services, just services that have not yet been breached (looking at you hardware vendors).

[neals]

And how would one do this?

[wickedlogic]

See the details in my comment. The same way you would require authentication and/or signing on any request, on any modern platform. Not doing this is poor form.