Network Guidelines
This document lists every firewall, proxy, and TLS setting your organization’s IT staff must review before the Ouva web application or kiosk hardware goes live. All traffic is outbound only over TLS 1.2 or higher; no inbound ports are ever opened into your network.
Required Outbound Connectivity
Ouva Web App (hosted on Netlify)
app.ouva.co (CNAME → Netlify CDN)
443
HTTPS
Supabase Auth & Database API
*.supabase.co
443
HTTPS & WebSocket
TensorFlow Lite model download
storage.googleapis.com
443
HTTPS
JavaScript utility CDN
cdn.jsdelivr.net
443
HTTPS
Plausible Analytics (non-PII)
plausible.io
443
HTTPS
Optional — Hardware Support
Grafana Cloud
*.grafana.net
443
HTTPS
TLS & Proxy Notes
Endpoints insist on TLS 1.2+; SSL-inspection appliances must supply certificates trusted by browsers/kiosks.
Supabase real-time channels use WebSockets on port 443—proxies must honor the
Upgradeheader.There is no inbound connectivity requirement.
Bandwidth
Complete loading of a single scene is approximately 25MBs.
Application loads new scenes every few minutes typically on kiosk mode.
Time Synchronization
Supabase JWTs are short-lived; client clocks must be within ±2 minutes. Provide NTP (UDP 123) to pool.ntp.org or an internal source.
Software Updates
Supported browsers: any Chromium-based or Firefox release ≤ 12 months old.
Kiosks pull new Netlify bundles nightly; outbound HTTPS must remain open during maintenance windows.
OS patching flows through standard Microsoft Windows Updates.
Once these items are in place, both the browser-based application at app.ouva.co and any Ouva-managed kiosks will operate without further network changes.
Last updated