I think that firewall filter applied on the public interface specifically permitting the IPs you know are legitimate for http and denying all other http requests then permit all other traffic should do it.
set firewall family inet filter test term 1 from source-address <IP address of legit hosts>
set firewall family inet filter test term 1 from destination-address <IP address of the firewall>
set firewall family inet filter test term 1 from protocol tcp
set firewall family inet filter test term 1 from destination-port 80
set firewall family inet filter test term 1 then accept
set firewall family inet filter test term 2 from destination-address<IP address of the firewall>
set firewall family inet filter test term 2 from protocol tcp
set firewall family inet filter test term 2 from destination-port 80
set firewall family inet filter test term 2 then deny
set firewall family inet filter test term 3 then accept