The current design relies on trusted_hosts feature, clients use HTTPS API and Foreman checks their hostname/client CN.

For smart_proxy_host_reports, similar approach can be taken - list of allowed CN names, since callback would be typically running on the same host, the configuration can be set to only trust to the same hostname.