Not really sure if this is a bug or if there's a reason behind it but when you go to http://xenforo.com/community/?_xfResponseType=json and you're logged in, it'll say security error. If you're logged out (open it in an incognito window if you're on chrome) you get all the data. Seems a little weird.
That is intended to prevent cross-domain forgery, that way I cannot just setup a page to do a "post" request to XenForo.com while you are browsing my site which will indirectly (and without your knowledge) trigger an action
That check is not done for guests, because they don't need it