Each request made to the URL of the tab of your application’s page (the URL used when loading the application through the “Page” tab) will include the signed_request parameter.
The decoding method is explained in https://developers.facebook.com/docs/authentication/signed_request/ - when your application is loaded on the page tab, you will always get page (other parameters may be absent if the current user did not allow your application, which will take place for most page tab applications)
The page parameter contains the page identifier of the page to which it is loaded. Then you use the if statement in your code and decide not to show anything (or some common content) if the request came through a page that you did not expect to install the application.