I put mine behind caddy on a long unguessable path prefix. So that acts as a sort of password that you need to know before you can access it at all. So far it's seemed to work great. The advantage to using a path prefix vs like caddy basic auth is that its compatible with all the normal jellyfin clients.