I have my_app which is intended to be accessed only as a facebook canvas app, and I am looking for a solid test which my_app will perform during the loading phase to verify whether it or isn't being loaded into a facebook iframe.
In a legitimate facebook iframe, the $_REQUEST[ "signed_request" ] is readable. But I would like to know if somehow another webpage could attempt to load my_app and send a fake 'signed_request'.
The signed request is signed using a secret key specific to your app. Unless someone managed to steal that secret key from the FB server, and you verified that the signed request is valid (with parse_signed_request), you should be safe.