I have a front form. can that be used to create a custom post by filling out and that creates the custom post with on the same website?
Yes, if you have show_in_restset to true when registering your post type then you’ll already have REST API endpoints for listing and creating them, and they’ll be restricted via their capability that was set when you registered the post type too
When I visited a website they said header authorization is not safe to use? Is that the case?
I have no idea what you’re referring to here.
Username and password added to the header auth. Is it possible to send a request without that?
I suspect what you actually meant was basic auth. To use basic auth you need to install a plugin, so yes you can make requests without that. Oauth/Basic Auth/etc all require plugins, and are used when talking between different sites/apps, but you don’t seem interested in that.
If you have a login cookie set, then all you need is a nonce. The REST API handbook has details on that.
Basically user has to login to fill out the form and so any way to get the username and password to make the request?
This is unnecessary and dangerous, you do not need the users password, much in the same way the admin area doesn’t ask for your password every time you go to a new page
Can the rest API post request be limited only from that form? Say someone can’t do it from outside?
That’s not how HTTP requests work and never has been. Even if you don’t use AJAX I can craft a curl command in the terminal to reproduce it given the right info.
The server recieves a request, it can never truly be sure what generated it. This is true of all requests no matter their nature.
It sounds though as if you have a specific concern you aren’t sharing. If the user is logged in and it’s an authenticated request, then I do not see a need for concern assuming your site uses HTTPS