The ESP is to normally operate in station mode. The ESP pings the PC every ten seconds. If ten minutes of failed pings go by, the ESP goes into STA_AP mode serves a web page while continuing to listen for pings and MQTT messages telling it to go back to station mode.
While acting as a soft AP and serving these web pages it offers one variety of content to other devices connected to the "real" internet-connected access point (192.168.1.x), and another more-privileged type of content to clients connected to the ESP AP (192.168.4.x). It uses the results of server.client().remoteIP().toString() (where server is an ESP8266WebServer object) to determine if the client request is coming from 192.168.1.x (IPs handed out by the real access point) or 192.168.4.x (IPs handed out by the ESP).
Is it possible for clients to bypass the IP addresses handed out by the two access points and give themselves 192.168.4.x addresses? The ESP doesn't seem to be able to work as an HTTPS server, so I'd like to force access to the privileged assets over the access point side, so at least the clients have to know the access point password. I hope this makes sense.
If the clients on the 192.168.1.x side can just give themselves fake 192.168.4.x addresses, I'l just have the ESP go into strict AP mode when the server can't be reached, then just go into station mode every half an hour or so to check server status.