Experts opinions needed: How (in)secure is this approach?

no. it’s not secure. because a curl http request can spoof any parameter in the request headers.
What you should do?
The least thing you can do is to create a htpassword file in the mail client directory which puts a username & password request before serving the content to the user.
google about making a .htpassword file.

Related Posts:

  1. WP Cron doesn’t save or in post body
  2. How to store username and password to API in wordpress option DB?
  3. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  4. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  5. Nonces can be reused multiple times? Bug / Security issue?
  6. Can someone explain what wp_session_tokens are, and what are they used for?
  7. WordPress and PHP Sessions – Security and Performance
  8. What is the difference between esc_html and wp_filter_nohtml_kses?
  9. Nonce in settings API with tabbed navigation
  10. Log in from one wordpress website to another wordpress website
  11. Escaping built-in WP function return strings
  12. What is the difference between strip_tags and wp_filter_nohtml_kses?
  13. Error with Custom Admin Screen in iframe Thickbox
  14. WordPress restrict plugin file direct access
  15. Plugin development: is adding empty index.php files necessary?
  16. Confusion on WP Nonce usage in my Plugin
  17. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  18. Correct way check nonce (security) using old Options API
  19. Why do I need to check if wp_nonce_field() exists before using it
  20. Is there any way to check for user login and send him to login?
  21. WordPress security issue to output data from user input from theme option form
  22. Verify if user is wordpress logged in from another app since wordpress 4.0
  23. Secure Pages Best Practice
  24. Securing/Escaping Output of file content – reading via fread() in PHP
  25. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  26. Video Security just like facebook [closed]
  27. Is disabling test_form in wp_handle_upload a security concern?
  28. How to connect my wordpress plugin to a remote database securely?
  29. wp_nonce_field displaying twice
  30. Is it necessary to do validation again when retrieving data from database?
  31. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  32. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  33. add_submenu_page hooked function must explicitly check user capabilities – why?
  34. Are there any security risks when submitting data-attribute data through AJAX?
  35. Why would you use esc_attr() on internal functions?
  36. Is it possible to use WP-CLI in a plugin (or theme)?
  37. Secruity Questions on a timer
  38. Using HTML links within translatable string
  39. How to insert HTML/CSS/JS into my iframe plugin?
  40. How can I save a password securely as a settings field
  41. Using password protection to load different page elements?
  42. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  43. How to store sensitive user data (passwords)
  44. WP Refused to display ‘URL’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’
  45. How do I make secure API calls from my WordPress plugin?
  46. esc_attr() on hard coded string
  47. how to add security questions on wp-registration page and validate it
  48. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  49. Issue with iframe in TinyMCE
  50. Data Validation, dynamically generated fields (select for example)
  51. esc_url, esc_url_raw or sanitize_url?
  52. Adding Custom Text Patterns in the WP 4.5 Visual Editor
  53. How to create an API for my plugin?
  54. Plugins in symlinked directories?
  55. How to use PanelColorSettings in custom Gutenberg block?
  56. Is there a way for a plug-in to get it’s own version number?
  57. How to add tab which is visible only in admin side of product in woocommerce? [closed]
  58. How do I print a notice only on certain admin pages?
  59. Hook the Keydown Event in the TinyMCE Post Editor
  60. WordPress Settings API: saving multiple rows of similar data
  61. Modify how gallery.js builds the shortcode [gallery ...] in tinyMCE?
  62. How to use is_multisite() in a must-use-plugin?
  63. DataBase connection problem with PHPUnit and WordPress
  64. Modify a Free Plugin available on wordpress.org & include with my Premium Theme? [closed]
  65. How to save iframe tag into a post?
  66. Registering and using actions which return results in a Plugin class
  67. Plugin developement and SVN
  68. WooCommerce Conditional Tag inside plugin
  69. Add code inside specific wordpress standard function
  70. Conditional hook based on the core function that is calling it
  71. How to change the hover content of a specific menu item on WordPress?
  72. PHP – Extend WordPress Woocommerce Revenue Analytics with custom field
  73. Amending REST API function without deactivate/activate plugin every time changes is made
  74. How to add WordPress Admin “Insert Link” UI (searches through existing posts for URL) and functionality into a custom plugin?
  75. Unable to change footer using wp_footer action hook
  76. Admin Posts List (edit.php) by post IDs
  77. wp_localize_script is not adding a global variable for javascript
  78. A question about add_action()
  79. How to Get Rid of Unwanted Backslashes in WordPress Form Input inside admin menu option
  80. WordPress plugin cron working only if admin is logged in
  81. Enqueue scripts inside a class in a plugin
  82. Redirect User to custom URL after registering
  83. WP plugin repository didn’t parse readme.txt correctly
  84. “Rendering of admin template [path to template] failed”
  85. Adding a dropdown on the user admin
  86. Check current URL is 404 in pre_option_stylesheet filter hook
  87. How to show content in the body with my plugin (only in frontend not backend)?
  88. Metabox types list
  89. Problem in plugin debuging in wordpress
  90. How to include files in the loop via ajax
  91. Some data has already been output, can’t send PDF file – fpdf issue in WordPress
  92. Plugin or Custom Page Type
  93. Custom signature appears twice on page
  94. wp_mail links are dead
  95. List Available Templates for Current Theme in a Plugin
  96. Adding Third Post Box Column: postbox-container-3
  97. WooCommerce custom payment gateway
  98. How can create a custom plugin to call my webapi after any registration or membership plugin functionality
  99. Reinitiate Gutenburg’s blocks using javascript
  100. Generating Multiple Divi Pages from Database