Use and enforce HTTPS. This will automatically encrypt the traffic between the client and your server.
The only way anyone would be able to intercept the key would be if they had compromised the client, compromised your server, or tricked a rouge Certificate Authority into issuing a false certificate for your site. In any of those scenarios, you'd have bigger problems to worry about.
Assuming your DNS is set up correctly, you don't even need to pay -
Let's Encrypt[
^] will give you a certificate for free. On Windows, you can use
Windows ACME Simple[
^] to obtain and renew the certificate automatically.