OpenVidu security is centered on token-based session control, TURN/WebRTC network hardening, and strict protection of OPENVIDU_SECRET and recording storage.
¶ 1) Protect OPENVIDU_SECRET and API surfaces
- Use a long random
OPENVIDU_SECRET and store it in root-only .env files.
- Never expose OpenVidu REST/API endpoints directly without reverse proxy controls.
- Restrict backend token-generation endpoints to authenticated application users.
- Rotate
OPENVIDU_SECRET during incident response and key-management windows.
- Generate short-lived OpenVidu tokens server-side only.
- Bind token issuance to app identity and room authorization policy.
- Avoid anonymous token endpoints.
- Restrict recording start/stop permissions to moderator roles in your app layer.
- Open only required signaling/media ports and lock all others.
- Use TURN authentication for relay mode; avoid open relay configurations.
- Ensure DNS and TLS cert renewal are monitored for
DOMAIN_OR_PUBLIC_IP.
- Keep Kurento/OpenVidu media nodes on private networks where possible.
¶ 4) Recording and storage controls
- Set recording path permissions to service user only.
- Encrypt recordings at rest when policy requires it.
- Enforce retention policy for old recordings.
- Include recording directory +
.env in backup/restore testing.
¶ Verification commands
sudo grep -E 'OPENVIDU_SECRET|DOMAIN_OR_PUBLIC_IP|OPENVIDU_RECORDING|OPENVIDU_RECORDING_PATH' /opt/openvidu/.env
sudo ss -tulpn | grep -E ':443|:3478|:5349|:4443|:7880'
sudo ls -ld /opt/openvidu/recordings
- OpenVidu documentation: https://docs.openvidu.io/
- OpenVidu self-hosting (on-premises): https://docs.openvidu.io/en/stable/deployment/
- OpenVidu security notes: https://docs.openvidu.io/en/stable/reference-docs/openvidu-config/
- OpenVidu source repository: https://github.com/OpenVidu/openvidu
Any questions?
Feel free to contact us. Find all contact information on our contact page.