Is it secure/safe to expose config.js through Apache/nginx alias

For example:
https://meet.jit.si/config.js

I see some app secret ids and other sensitive configuration info which, i suppose, should not be public.
It’s suppose to be public, is not vulnerable?
Sure, one could add basic/digest authentication, but then jitsi meet mobile doesn’t work.

Anything that is on the web without authentication should not be sensible, the same is and for the values in config.js. The services which ids and secrets you can see there, they have another layer of protection and those are just for authorization to accept your data.
Nothing from the data in config.js you cannot use to abuse those accounts.

Ok, thanks. Still i don’t want to expose jitsi to public; even apache has an option to hide itself for the security sake and i don’t believe that such huge amount of various configuration info is not potencially vulnareble somehow. But anyway; i need to protect jitsi with basic/digest authentication, because i don’t want anonymous users kidding around my server trying to connect, explore. BTW: anonymous users try to join new rooms (i disabled anonymous access and they fail to authenticate) and see those rooms they were trying to create in a recent room list. Is that normal too? :slight_smile: It’s offtopic, but actually i was looking for a way to protect jitsi with standard web authentication and not to break jitsi meet mobile.

Sorry, recent room list is actually from browser cache.