It is mandatory to have a reverse proxy in front of your Content Services infrastructure. This proxy is then configured with a whitelist of allowed URLs, and blocks everything else. The proxy is also where you implement SSL.
You can find a sample NGINX configuration in our GitHub project, and the corresponding image in Docker Hub.