Network Guidelines

This document lists every firewall, proxy, and TLS setting your organization’s IT staff must review before the Ouva web application or kiosk hardware goes live. All traffic is outbound only over TLS 1.2 or higher; no inbound ports are ever opened into your network.

Required Outbound Connectivity

Service / Function
Domains to Allow (wildcards permitted)
Port
Protocol

Ouva Web App (hosted on Netlify)

app.ouva.co (CNAME → Netlify CDN)

443

HTTPS

Supabase Auth & Database API

*.supabase.co

443

HTTPS & WebSocket

TensorFlow Lite model download

storage.googleapis.com

443

HTTPS

JavaScript utility CDN

cdn.jsdelivr.net

443

HTTPS

Plausible Analytics (non-PII)

plausible.io

443

HTTPS

Optional — Hardware Support

Service
Domains
Port
Protocol

Grafana Cloud

*.grafana.net

443

HTTPS

TLS & Proxy Notes

  1. Endpoints insist on TLS 1.2+; SSL-inspection appliances must supply certificates trusted by browsers/kiosks.

  2. Supabase real-time channels use WebSockets on port 443—proxies must honor the Upgrade header.

  3. There is no inbound connectivity requirement.

Bandwidth

  • Complete loading of a single scene is approximately 25MBs.

  • Application loads new scenes every few minutes typically on kiosk mode.

Time Synchronization

Supabase JWTs are short-lived; client clocks must be within ±2 minutes. Provide NTP (UDP 123) to pool.ntp.org or an internal source.

Software Updates

  • Supported browsers: any Chromium-based or Firefox release ≤ 12 months old.

  • Kiosks pull new Netlify bundles nightly; outbound HTTPS must remain open during maintenance windows.

  • OS patching flows through standard Microsoft Windows Updates.

Once these items are in place, both the browser-based application at app.ouva.co and any Ouva-managed kiosks will operate without further network changes.

Last updated