Coder wildcard hostnames use a double dash ( -- ) to delimit username, workspace name, agent name, and app name in coder_app URLs. A WAF that enforces OSWASP rule 942440 (SQL Comment Sequence Detected) will trigger a false positive based on the presence of a double-dash ( -- ) in the URL. To remediate, create a WAF policy that does not enforce rule 942440 for your Coder traffic.