External access, open port, security question

I've been looking at some of the external access into my network to see how exposed we are at the house. I noticed that when I connect to my network externally on port 8089 (8089 is port forwarded to my Channels DVR) I'm presented with a page which allows me to request an access token and then apply that access token which then gives complete access to my Channels DVR. I'm trying to figure out if this is something which anyone could do or if it happened that way because my laptop was authenticated to the Channels DVR server already and so it could see this. I was doing this from work, outside my network, on my work laptop, which I didn't think was authenticated to my Channels DVR. If this is something which does not require login authentication, I'm wondering if the devs have thought of handling it differently to make access to the DVR by an external party, more difficult. Also, I looked to see if there was a way to change the port so I could pick something else, but it doesn't look like there is. Not a great option, but slightly more secure than a lower number port near commonly used ports.

I'm running the raspberry Pi image Channels provides, on a RPi 4, with the latest updates from Channels.

I feel the best way to protect your local network is to firewall off all access to the local network from the host running the channels server. Also, user a dedicated and not route account for the service (process)

One of my main concerns, in addition to intrusion, is just bandwidth. If this gets compromised and then shared, there could be people poking around and messing with and streaming from our Channels DVR, even without actually compromising the underlying appliance.

I feel that is very unlikely as this is not what motivates hackers. It is easy to protect if you only open the port to your external IP(s) or if you connect to channels via a VPN. There is another thread active regarding VPN access with a number of people recommending wireguard.

You are mistaken.

You can try in chrome incognito remotely to see what happens.

Thanks for responding, I see what you mean. I thought I had done this in a private browsing session, but apparently I did not. Thanks for clarifying. I see how it works, much appreciated.

Also, I deleted my previous post with inaccurate information in it so it didn't confuse others.

have you or the other developers penetration tested or better hired a consultant to do so?