When you open an url using a browser, the browser resolves the fqdn part of the url to an IP address, then initiates a TCP session to that address and port 80 (plaintext http) or 443 (tls-encrypted http - https). Before the TCP connection is established, the url doesn't appear in contents of any of the initial three packets (SYN>, <SYN+ACK, ACK>). Once the session establishes, the complete url is available in plaintext in the packets from the client, but for https, at best the fqdn alone is available in plaintext, the full url goes encrypted.
So the maximum you can do is to allow all TCP connections to the port but then forcifully break those which do not match the permitted url (if using plaintext) or permitted fqdn (if using https).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.