Is it safe to make jitsi-meet configuration file public?



I want to know if it’s safe to keep Jitsi-Meet configuration file public ? like the official one
What will happen if another plateforme uses the same for their clients ? for instance, is using


I don’t see a problem with that. For example the infrastructure is open and can be used from anybody the same way as is open to everybody.
All the configurations there like callstats, analytics, Microsoft or Google AppIDs are supposed to be used that way and have their own protection mechanisms configuring the source site so that they can be used only from, so nobody can take those and use it for their own deployment.
There are also a number of ways to protect the use of the system as jwt and authentication.

#3 was just an example.
if i understood well, any other jitsi platform could use my ressources (prosody, jvb, etc) once they use the same configuration file as my platform ?
I am talking about my jitsi-meet platform with basic installation (without any kind of authentication)


So the entry point for the deployment is the bosh connection, if that bosh connection cannot be established from another domain it is safe, I think this is the case with a default unprotected deployment.


I used for my testing paltform and this is what I got


That’s interesting, I thought it can be used from everywhere. The interesting part is what is in the console log, what didn’t work? :slight_smile:


I simply got this in the JS console :

Any explanation ? maybe there are more details in your prosody’s log files


Hum, It must be something else, that is strange it asks for password, does not authenticate you for some reason … Did you download the config.js or you just reference it from your deployment? Reference will not work as the way is configured.
Checking prosody logs is not an option, there are 6 shards (6 prosodies) in different locations and without knowing the conference name, but anyway it will be waste of time.
But loading bosh from should be fine as it has 'Access-Control-Allow-Origin' '*'.


Maybe because I send JWT in the URL ? :thinking:
I will try to do it without token parameter in the URL

I downloaded it an replaced my configuration file with it


Yeh, jwt is no way to work as you don’t know the shared secret configured on :wink:


Well, I confirm. I used for my jitsi platform.
I guess is one of your jvb instances.


So the only way to prevent other jitsi platforms to use my ressources, besides authentication and jwt, is to set Access-Control-Allow-Origin http header to 'Access-Control-Allow-Origin' '' ?


Yes, or to not set it at all, this will prevenet any other than the client connected using the web under your domain.


tested and approved ! :ok_hand: