Corporate IT allowlist — RetroEP
Use this page when approving RetroEP (retroep.com) on managed browsers, SSL inspection proxies, or web filters. The app is fully client-side with a same-origin HTTPS API — no third-party scripts, analytics, or WebSockets.
Domains and ports
- Allow:
retroep.com,www.retroep.com - Port: TCP 443 (HTTPS) only — no other ports required
- API:
POST https://retroep.com/api/room.php(JSON, same-origin)
TLS / certificate trust
- Public certificate: Let's Encrypt (presented chain includes ISRG Root X1 cross-sign)
- If users see
NET::ERR_CERT_AUTHORITY_INVALIDon office networks, SSL inspection is replacing the leaf — install your corporate root CA or bypass inspection forretroep.com - See also: Connection troubleshooting
No third-party dependencies at runtime
- No Google Analytics, ads, social widgets, or external CDNs
- JavaScript and assets served only from
retroep.com - Real-time sync via HTTP polling (1–6 s) — no WebSockets
- Content-Security-Policy:
default-src 'self',connect-src 'self',script-src 'self'
Firewall / proxy categories
Suggested categories: Collaboration, Productivity, or Business / SaaS. Not required: streaming media, gambling, or file-sharing categories.
Corporate NAT: up to 100 participants per room may share one public IP; rate limits are token-based (fair use behind NAT).
Data handling
- No user accounts or persistent login
- Room cards/comments are ephemeral session data — export client-side before room expiry
- Optional room password (bcrypt server-side)
- Do not enter regulated personal data on cards