It is mandatory to have a reverse proxy in front of your Content Services infrastructure. This proxy is then configured with a whitelist of allowed URLs, and blocks everything else. The proxy is also where you implement SSL. For more information on implementing SSL, see the NGINX SSL Termination article on the NGINX Docs site: https://docs.nginx.com/.
You can find a sample NGINX configuration in our GitHub project, and the corresponding image in Docker Hub.