diff --git a/wagtail/wagtailimages/views/multiple.py b/wagtail/wagtailimages/views/multiple.py
index 5ee011863..3bd758d0c 100644
--- a/wagtail/wagtailimages/views/multiple.py
+++ b/wagtail/wagtailimages/views/multiple.py
@@ -2,6 +2,7 @@ import json
 
 from django.shortcuts import render, get_object_or_404
 from django.contrib.auth.decorators import permission_required
+from django.views.decorators.http import require_POST
 from django.core.exceptions import PermissionDenied
 from django.views.decorators.vary import vary_on_headers
 from django.http import HttpResponseBadRequest
@@ -35,6 +36,7 @@ def add(request):
     return render(request, 'wagtailimages/multiple/add.html', {})
 
 
+@require_POST
 @permission_required('wagtailadmin.access_admin')  # more specific permission tests are applied within the view
 def edit(request, image_id, callback=None):
     Image = get_image_model()
@@ -42,34 +44,16 @@ def edit(request, image_id, callback=None):
 
     image = get_object_or_404(Image, id=image_id)
 
-    if not image.is_editable_by_user(request.user):
-        raise PermissionDenied
-
-    if request.method == 'POST':
-        form = ImageForm(request.POST, request.FILES, instance=image, prefix='image-'+image_id)
-        if form.is_valid():
-            form.save()
-            return render(request, 'wagtailimages/multiple/confirmation.json', {
-                'success': True,
-                'image': image,
-            }, content_type='application/json')
-
-    return render(request, 'wagtailimages/multiple/confirmation.json', {
-        'success': False,
-        'image': image,
-        'form': form,
-    }, content_type='application/json')
-
-
-@permission_required('wagtailadmin.access_admin')  # more specific permission tests are applied within the view
-def delete(request, image_id):
-    image = get_object_or_404(get_image_model(), id=image_id)
+    if not request.is_ajax():
+        return HttpResponseBadRequest("Cannot POST to this view without AJAX")
 
     if not image.is_editable_by_user(request.user):
         raise PermissionDenied
 
-    if request.method == 'POST':
-        image.delete()
+    form = ImageForm(request.POST, request.FILES, instance=image, prefix='image-'+image_id)
+
+    if form.is_valid():
+        form.save()
         return render(request, 'wagtailimages/multiple/confirmation.json', {
             'success': True,
             'image': image,
@@ -78,4 +62,25 @@ def delete(request, image_id):
         return render(request, 'wagtailimages/multiple/confirmation.json', {
             'success': False,
             'image': image,
+            'form': form,
         }, content_type='application/json')
+
+
+@require_POST
+@permission_required('wagtailadmin.access_admin')  # more specific permission tests are applied within the view
+def delete(request, image_id):
+    image = get_object_or_404(get_image_model(), id=image_id)
+
+    if not request.is_ajax():
+        return HttpResponseBadRequest("Cannot POST to this view without AJAX")
+
+    if not image.is_editable_by_user(request.user):
+        raise PermissionDenied
+
+    image.delete()
+
+    return render(request, 'wagtailimages/multiple/confirmation.json', {
+        'success': True,
+        'image': image,
+    }, content_type='application/json')
+