Web to Lead Forms security

Question

Hi! I was wondering if there is a secure way to use Web to Lead forms in SugarCloud. 
 I mean, anyone can extract the API url from the form and start making customised calls, right? 
 Can we set up an IPs whitelist for the API rest or something similar? 
 One of our customers is worried about this and we haven't known what to answer as it seem a legitim concern. 
 I have already seen these links which can lead to different solutions: 
 
 https://sugarclub.sugarcrm.com/dev-club/w/dev-tutorials/197/adding-a-google-recaptcha-in-a-web-to-lead-form 
 https://support.sugarcrm.com/Knowledge_Base/Campaigns_Target_Lists/Tracking_Campaign_Activities_When_Sugar_Is_Behind_a_Firewall/ 
 
 Am I missing something? because it seems that Sugar is proposing a solution which basically exposes our sites to a security breach. 
 Thanks

Javier Torón · Accepted Answer

Thanks to everybody for their answers, very good info. 
 I posted a case in Sugar Portal and got this answer which clarified my doubts: 
 
 The Sugar API of a public instance, is open to anyone to make requests as long as they are able to authenticate. There are a couple of core API calls that do not require authentication. One of those is the Web2Lead form that allows users to create Leads. That endpoint can create only Leads but it cannot retrieve Leads. When creating Leads, it sanitizes the user inputs to avoid any hacking attempts. The only known issue is that bots could fill the Web2Lead forms from a website and generate many false Leads but this can be solved by implementing a Captcha as per the articles that you provided.

Javier Torón · Answer

I believe the following method is what you are looking for? sugarclub.sugarcrm.com/.../restful-web2lead-form