Experts opinions needed: How (in)secure is this approach?

no. it’s not secure. because a curl http request can spoof any parameter in the request headers.
What you should do?
The least thing you can do is to create a htpassword file in the mail client directory which puts a username & password request before serving the content to the user.
google about making a .htpassword file.

Related Posts:

  1. WP Cron doesn’t save or in post body
  2. How to store username and password to API in wordpress option DB?
  3. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  4. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  5. Nonces can be reused multiple times? Bug / Security issue?
  6. Can someone explain what wp_session_tokens are, and what are they used for?
  7. WordPress and PHP Sessions – Security and Performance
  8. What is the difference between esc_html and wp_filter_nohtml_kses?
  9. Nonce in settings API with tabbed navigation
  10. Log in from one wordpress website to another wordpress website
  11. Escaping built-in WP function return strings
  12. What is the difference between strip_tags and wp_filter_nohtml_kses?
  13. Error with Custom Admin Screen in iframe Thickbox
  14. WordPress restrict plugin file direct access
  15. Plugin development: is adding empty index.php files necessary?
  16. Confusion on WP Nonce usage in my Plugin
  17. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  18. Correct way check nonce (security) using old Options API
  19. Why do I need to check if wp_nonce_field() exists before using it
  20. Is there any way to check for user login and send him to login?
  21. WordPress security issue to output data from user input from theme option form
  22. Verify if user is wordpress logged in from another app since wordpress 4.0
  23. Secure Pages Best Practice
  24. Securing/Escaping Output of file content – reading via fread() in PHP
  25. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  26. Video Security just like facebook [closed]
  27. Is disabling test_form in wp_handle_upload a security concern?
  28. How to connect my wordpress plugin to a remote database securely?
  29. wp_nonce_field displaying twice
  30. Is it necessary to do validation again when retrieving data from database?
  31. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  32. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  33. add_submenu_page hooked function must explicitly check user capabilities – why?
  34. Are there any security risks when submitting data-attribute data through AJAX?
  35. Why would you use esc_attr() on internal functions?
  36. Is it possible to use WP-CLI in a plugin (or theme)?
  37. Secruity Questions on a timer
  38. Using HTML links within translatable string
  39. How to insert HTML/CSS/JS into my iframe plugin?
  40. How can I save a password securely as a settings field
  41. Using password protection to load different page elements?
  42. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  43. How to store sensitive user data (passwords)
  44. WP Refused to display ‘URL’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’
  45. How do I make secure API calls from my WordPress plugin?
  46. esc_attr() on hard coded string
  47. how to add security questions on wp-registration page and validate it
  48. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  49. Issue with iframe in TinyMCE
  50. Data Validation, dynamically generated fields (select for example)
  51. esc_url, esc_url_raw or sanitize_url?
  52. Allow contributor user role to perform copy operation PHP
  53. How to use own css of functionality plugin?
  54. Get Custom taxonomy parent with wordpress REST API
  55. How to add .ini file type to the plugin editor to read and edit?
  56. Do I lose translations when I change my Text domain for my plugin on wp.org?
  57. HTMLCollection not counting right in editor? / for loop not working on elements in DOM
  58. What to do with the .git folder in a WordPress plugin during local development
  59. register_meta not showing custom post type metabox data in rest api
  60. Trying to rename a file upload as the hash of file content on wordpress
  61. Adding the image selector/uploader to an admin back page
  62. How to write a custom shortcode name book?
  63. converting a node.js project into a wp plugin
  64. What happens/fires when you select a block in the editor?
  65. Want to know how to reveal a WordPress theme, considering the theme name is hidden?
  66. Is “document loaded” different on admin side than public side?
  67. Determine if term is Category or Tag
  68. Check current URL is 404 in pre_option_stylesheet filter hook
  69. Where to add functions and code snippets in wordpress
  70. Hook to execute after deleting a Custom Taxonomy
  71. How to re-render inspector controls?
  72. Override category archive page title (not the head title)
  73. Forbidden Error in ajax call with wordpress
  74. `registration_errors` filter doesn’t seem to be called
  75. Why User_login key doesn’t work with wp_update_user()
  76. How to use setAttributes outside of the edit function return
  77. WP plugin svn checkout 429 error “Too many requests”
  78. why is apiFetch throwing Unhandled Promise Rejection: TypeError: Object is not a function
  79. How to grab data after wp user search is complete
  80. Limit get_next_post to posts from the same author
  81. How to Login a User inside a Plugin and Redirect to page?
  82. Using custom IDP with WP
  83. Trying to run a Ajax request from a checkout form in woocommerce via a custom plugin
  84. Show list of categories that has posts with different taxonomies
  85. “add to cart” links css class “ajax_add_to_cart” doesn’t show in woocommerce in widget sidebar
  86. Securing custom rest API endpoints with public access from PWA
  87. How do I add filter with woocommerce categories?
  88. ACF Field value in wordpress login message filter
  89. Where do I hook to have the server do something in PHP on block attribute change?
  90. admin-post.php form handling only working when logged in as admin
  91. Undefined cache functions in my custom plugin
  92. Some difficulties in implementing markdown editor
  93. By adding “?login – failed” code unable to access my dashboard
  94. ajax stopped working when not logged in wordpress
  95. Change cannonical URL after changing url with add_rewrite_rule()
  96. jQueryUI draggable doesn’t work in WordPress plugin
  97. Sanitization and validation input fields – Settings API
  98. WordPress shortcode with a switch
  99. Twenty-seventy theme remove additional CSS from head
  100. call funcution when clicking submit
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)