How to allow access ONLY from my app?

I’m developing a web app and a completely custom UI using the Jitsi Meet API (lib-jitsi-meet.js) with my Docker Jitsi Meet installation, and I want to make sure I’m thinking through things properly.

I am disabling access to the web UI that ships with Jitsi, and I have included an Access-Control-Allow-Origin header in my nginx configuration to allow requests only from my web app’s domain. So my question is…

Having done those things, if I control access to Jitsi features (e.g. moderator status, etc.) completely from my custom web app - i.e. without using any of Jitsi’s built-in authentication (internal, JWT, etc), am I jeopardizing security? In other words, I’d like to authenticate and manage access to Jitsi entirely from my web app.

It seems such a setup would permit access to Jitsi only through my web app (which is what I want), but I want to make sure I’m thinking through all the security implications. Does anyone see any glaring security oversights with a setup like this?

Any input or insights would be appreciated!

I rephrased my question. Is there a way to allow HTTP requests to my Jitsi installation from ONLY my web app?

It’s easy to disable the built-in web interface, but the Jitsi mobile app can still access the service. How do I disallow access from everywhere except my app?

1 Like

Did you manage to do it, and if so, how?

You may check the user agent on nginx. Not a real security but it works to some extent

Thank you, we managed to block android and ios user agents by adding the following to the nginx default file:

if ($http_user_agent ~ okhttp|Darwin ) {
    		return 403;