I keep reading that to make ajax requests safe, I need to make sure that cross-site requests are disabled. On the server side, how exactly do I disable cross-site requests, or check if they are disabled/enabled?

Cross site requests are disabled by default..
fyi : take a look at same origin policy : http://en.wikipedia.org/wiki/Same_origin_policy

Cross domain is always banned because of the Same Origin Policy.

As for your JavaScript making a XHR and someone spoofing one, they are the same and impossible to differentiate (though you can definitely make it harder).

May be someone can open your page in hyperlink so please make sure that http referrer is always from your site.