Securing backend

I have some backend canisters, some of them should be accessed publicly, but I don’t want that people call directly the backend with CandidUI, but only via front end. Some others I want only logged in users to access and some should be both logged in and only from front end or from allowed canister. How to achieve that? Any hint/s?