Enable [TLS](../../reference/cli/server#--tls-address) on Coder Server, and encrypt traffic from the reverse-proxy/load balancer to Coder Server, so that even if an attacker gains access to your network, they will be unable to snoop on Coder Server traffic.

Enable TLS on PostgreSQL, and set `sslmode=verify-full` in your [postgres URL](../../reference/cli/server#--postgres-url) on Coder Server. This configures Coder Server to only establish TLS connections to PostgreSQL and check that the PostgreSQL server’s certificate is valid and matches the expected hostname.

Additionally, Coder supports [encrypting some particularly sensitive data](../../admin/security/database-encryption) including OIDC tokens using an encryption key managed independently of the database, so even a user with full administrative privileges on the PostgreSQL server(s) cannot read the data without the separate key. If you use this feature:

1. [Rotate the key immediately](../../admin/security/database-encryption#rotating-keys) if you suspect it has been leaked. Follow any organization policies about key rotation on a fixed schedule.

Use a [Scoped Key](../../admin/provisioners#scoped-key-recommended) to authenticate the provisioner daemons with Coder. These keys can only be used to authenticate provisioner daemons (not other APIs on the Coder Server).

Securely store the workspace proxy token generated by [`coder wsproxy create`](../../admin/networking/workspace-proxies#step-1-create-the-proxy). Inject the token to the workspace proxy process via an environment variable, rather than via an argument. If on Kubernetes, use a Kubernetes Secret to set the environment variable.

Enable TLS on Coder Server and ensure you use an https:// URL to access the Coder Server.

STUN messages are not encrypted, but do not transmit any tunneled data, they simply query the public address / ports. As such, a STUN service learns the public address and port information (i.e. the address and port on the NAT device) of Coder workspaces and the end user device if STUN is configured. Unlike DERP, it doesn’t definitively learn about communicating pairs of IPs. If you consider the public IP and port information to be sensitive, do not use public STUN servers. You may choose not to configure any STUN servers, in which case most workspace traffic will need to be relayed via DERP. You may choose to deploy your own STUN servers, either on the public Internet, or on your corporate network and [configure Coder to use it](../../reference/cli/server#--derp-server-stun-addresses). If you do not consider the addresses and ports to be sensitive, we recommend using the default set of STUN servers operated by Google.

Coder workspace apps are a way to allow users to access web applications running in the workspace via the Coder Server or Workspace Proxy. [Disable workspace apps on sub-paths](../../reference/cli/server#--disable-path-apps) of the main Coder domain name, and [use a separate, wildcard domain name](../../admin/setup#wildcard-access-url) for forwarding. Because of the default [same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy) in browsers, serving web apps on the main Coder domain would allow those apps to send API requests to the Coder Server, authenticated as the logged in user without their explicit consent.