nothing in your web app can prevent it.
In fact, someone could just hit the rest endpoint and query objectid <500, objectid 500-1000, etc..
Your only option would be to hide the entire service behind a firewall, then only allow your application access to it.
However if your app can make the request and return results those request/results can always be viewed.