Skip to content

Network Guidelines

This document lists the firewall, proxy, and TLS settings your IT team should review before Ouva goes live. All traffic is outbound only over TLS 1.2 or higher. No inbound ports are required.

Service / FunctionDomains to AllowPortProtocol
Ouva Web App (hosted on Netlify)app.ouva.co (CNAME -> Netlify CDN)443HTTPS
Supabase Auth & Database API*.supabase.co443HTTPS & WebSocket
MediaPipe model assets (camera scenes only)storage.googleapis.com443HTTPS
MediaPipe runtime assets (camera scenes only)cdn.jsdelivr.net443HTTPS
Stripe billing and customer profilejs.stripe.com, api.stripe.com443HTTPS
ElevenLabs text-to-speech (if enabled)api.elevenlabs.io443HTTPS
ServiceDomainsPortProtocol
Remote support tools (if used by your facility)Vendor-specific (for example anydesk.com)443HTTPS
  1. Endpoints insist on TLS 1.2+; SSL-inspection appliances must supply certificates trusted by browsers/kiosks.
  2. Supabase real-time channels use WebSockets on port 443; proxies must honor the Upgrade header.
  3. There is no inbound connectivity requirement.
  • Initial scene loads can require tens of MB depending on the selected experience and assets.
  • Browser caching reduces repeat transfer for frequently used scenes.
  • Video-wall kiosks that cycle scenes frequently should be provisioned for sustained outbound HTTPS traffic.

Supabase session handling depends on accurate device time. Keep kiosk and user devices synchronized with NTP (internal source or pool.ntp.org).

  • Recommended browser: current Google Chrome (standard mode or kiosk mode).
  • Keep browser and OS updates current for security and graphics performance.
  • Keep outbound HTTPS available during maintenance windows so kiosks can pick up frontend updates.

Once these items are in place, both browser users and always-on kiosk deployments can operate without additional inbound network changes.

For a complete telemetry and egress breakdown (types, data elements, triggers, and controls), see Telemetry & Data Egress.