Typically - you should use nginx/lighttpd/apache on the frontend - and the tileserver-gl server is hidden behind it in production deployment.
There is a plenty of options you can use to create proper caching infrastructure: Varnish, CloudFlare, …
Nginx can be used to add protection via https, password, referrer, IP address restriction, access keys, etc.
Running behind a proxy or a load-balancer¶
If you need to run TileServer GL behind a proxy, make sure the proxy sends
X-Forwarded-* headers to the server (most importantly
X-Forwarded-Proto) to ensures the URLs generated inside TileJSON etc. are using the desired domain and protocol.