Authorize custom applications running with the Kubespawner?

I want to be able to launch custom containers with the Jupyterhub-Kubespawner. This works so far, however I made a discovery that the URI generated, https://my-jupyterhub-host/user/my-username, is reachable from everywhere once the user logged in on one machine.
When launching a default Jupyterlab Singleuser, this is not the case.
How can I lock down a started instance? I already tried to forward all cookies to the main address but this only gives me redirects to the login page. Can anyone guide me to how this is done correctly?

If you’ve written your own singleuser server you’ll need to implement authorisation yourself. See for example