If you have an SSL certificate on the server, then the client will be sending data through HTTPS, which means the data is encrypted by default over the wire.
So as far as encryption is concerned, you are covered.
An API Key with a secret would be a good way to filter out the requests. And yes, you will have to adapt your Workflow process to ignore any request that doesn’t include the appropriate API key. But that means you are exposing Workflow to DDOS attacks.
Please understand that Workflow is not a web server, nor does it implement basic security measures. The fact that it is able to respond to HTTP(s) requests must not lure you into thinking otherwise.
If you decide to leave Workflow on the open Web, you are exposing a critical piece of software to potential hackers. I strongly urge you to use a firewall or a reverse proxy to filter out any request before it reaches Workflow.