In the AJAX world, there is no way to secure the server URL. And that's ok; security by obscurity is not a good practice anyway. What you need to do is make sure your server can't be hacked through that URL. A couple of tips:
Disable scripting in ES. The newer versions of ES have it disabled by default out of the box.
Don't expose your bare ES server to the world. By default ES is available on port 9200, which means anyone can run any query (or do anything else they want). Make sure that port is blocked from external access. As one commenter pointed out, the Javascript should be calling your server, which should in turn be calling the ES server as localhost (again, be sure localhost:9200 is blocked from external access) or behind a firewall.
Clean up all input queries before passing them to ES. ES is less vulnerable than SQL to "injection" attacks, but it is still critical to filter out any nasty characters such as \ { " : and so forth, to limit string lengths to something reasonable, etc.
Good luck!