Thank you for your reply, but unfortunately it does not fully address my concern.
Since bots can easily spoof responses pretending to be from Google, the best solution would be to allow only requests from Google's verified IP addresses listed in their JSON metadata.
This would ensure responses...