Cloudflare tunnel to view WLED liveview in iframe

Given that WLED doesn’t support https and therefore the live view can’t be displayed within an iframe unless on the local network, I wondered if it was possible to add an additional host in the cloudflare add-on for my wled lights and as such use that to display the live view.

Obviously doing this means my wled lights are available to everyone who looks at the domain. I then decided to create a rewrite URL rule in cloudflare to prevent access to any page other than the live view. Then I was able to add a card containing an iframe with the preview of my Wled lights whether within my local network or not.

My concern is however, is this secure? Forgive my ignorance, but is it easy to bypass a rewrite URL rule such that the settings/main page etc of my wled instance can be compromised by an attacker?

I’ve attached screenshots of what I’ve done. Any advice is welcome.

Settings in cloudflare add-on: EDIT: I realise I have the same name for the external home assistant home name as I do for the additional host. This is a mistake, I changed them to show an example domain and copied and pasted the same info in both fields. Consider it to actually be for the External hostname.

Cloudflare rewrite URL rule:

Conditional card to display the live view:

type: conditional
  - entity: light.goveestrip
    state: 'on'
  type: iframe
  aspect_ratio: 4%