I am thinking the safest way might be to setup a cloud service with Google or AWS and have it act as a middle man between Premise and IFTTT, adding a long hash to the URL that acts as a password.
I am not a web developer and don't work in the tech industry so maybe I am missing something, but at least then the Premise webserver isn't wide open.
I'm not sure why the webhook action can't let us edit the header. It has OPTION as a possible method, but no where to put the header information? That is how I fixed this issue before when I setup my custom Alexa skill on AWS.
Hmm, having the same issues as Ellery now. Hate to give up the security though since it's wide open then.