I am developing a tool that that processes form responses.
The original form is on a website that is built with a website builder. This website builder (Ionos) allows to use a webhook endpoint, to which it sends the form input as JSON.
However, it only allows to specify a webhook URL like https://backend.com/receiver. It sends a HTTP POST to that URL that contains the JSON (not FormData). On my site, I am listenting to POST requests and I process and store incoming data.
The website builder does not allow to include some authentication header or any header for that matter. It does encrypt the request with HTTPS though.
I would like to secure my endpoint such that it only processes requests coming from this specific website, not any other domain. I could check for the CORS or Referer headers, but to my understanding those could be spoofed.
Is there any practical way to authenticate the sending page without headers?