Direct communication is never secure. The client can always read traffic and redirect requests to custom web server (and also read all responses).
It may be a solution for a client to connect to a dedicated server and all requests are going there (the server communicates with the web server and returns the client information).
Of course, you can use your own security system, tokens, encrypted traffic for direct communication, but not quite secured.