Before I dive into the code, is there a way (out of the box) that would allow me to put more restrictions around the “/app” route? I would like to only allow internal traffic (by IP) to that route but allow external traffic to the API routes.
Not from within Squidex. If you use a reverse proxy you can do it there. Or you write a custom middleware and provide a PR for that.