update links

coder · EdwardAngert · Dec 16, 2024 · Dec 9, 2024 · Dec 9, 2024 · Dec 11, 2024
commit 1879cbec29db420c8d08b9ebd810eb00d7b0a45c
diff --git a/docs/tutorials/best-practices/security-best-practices.md b/docs/tutorials/best-practices/security-best-practices.md
@@ -24,7 +24,7 @@ Using IdP sync and SCIM means that the central Identity Provider is the source o
 
 Place Coder behind a TLS-capable reverse-proxy/load balancer, and enable [Strict Transport Security](../../reference/cli/server.md#--strict-transport-security) so that connections from end users are always encrypted.
 
-Enable [TLS](../../reference/cli/server#--tls-address) on Coder Server, and encrypt traffic from the reverse-proxy/load balancer to Coder Server, so that even if an attacker gains access to your network, they will be unable to snoop on Coder Server traffic.
+Enable [TLS](../../reference/cli/server.md#--tls-address) on Coder Server, and encrypt traffic from the reverse-proxy/load balancer to Coder Server, so that even if an attacker gains access to your network, they will be unable to snoop on Coder Server traffic.
 
 ### Encryption at Rest
 
@@ -48,18 +48,18 @@ Generate a strong, random password for accessing PostgreSQL and store it securel
 
 ### Encryption in Transit
 
-Enable TLS on PostgreSQL, and set `sslmode=verify-full` in your [postgres URL](../../reference/cli/server#--postgres-url) on Coder Server. This configures Coder Server to only establish TLS connections to PostgreSQL and check that the PostgreSQL server’s certificate is valid and matches the expected hostname.
+Enable TLS on PostgreSQL, and set `sslmode=verify-full` in your [postgres URL](../../reference/cli/server.md#--postgres-url) on Coder Server. This configures Coder Server to only establish TLS connections to PostgreSQL and check that the PostgreSQL server’s certificate is valid and matches the expected hostname.
 
 ### Encryption at Rest
 
 Run PostgreSQL on server(s) with full disk encryption enabled and configured.
 
-Additionally, Coder supports [encrypting some particularly sensitive data](../../admin/security/database-encryption) including OIDC tokens using an encryption key managed independently of the database, so even a user with full administrative privileges on the PostgreSQL server(s) cannot read the data without the separate key. If you use this feature:
+Additionally, Coder supports [encrypting some particularly sensitive data](../../admin/security/database-encryption.md) including OIDC tokens using an encryption key managed independently of the database, so even a user with full administrative privileges on the PostgreSQL server(s) cannot read the data without the separate key. If you use this feature:
 
 1. Generate the encryption key randomly and store it in a central secrets management system like Vault.
 1. Inject the secret using an environment variable.
    - If in Kubernetes, use a Kubernetes Secret, rather than including the secret directly in the podspec
-1. [Rotate the key immediately](../../admin/security/database-encryption#rotating-keys) if you suspect it has been leaked. Follow any organization policies about key rotation on a fixed schedule.
+1. [Rotate the key immediately](../../admin/security/database-encryption.md#rotating-keys) if you suspect it has been leaked. Follow any organization policies about key rotation on a fixed schedule.
 
 ## Provisioner Daemons
 
@@ -79,7 +79,7 @@ When Coder workspaces are deployed into multiple clusters/clouds, or workspaces
 
 ### Authentication
 
-Use a [Scoped Key](../../admin/provisioners#scoped-key-recommended) to authenticate the provisioner daemons with Coder. These keys can only be used to authenticate provisioner daemons (not other APIs on the Coder Server).
+Use a [Scoped Key](../../admin/provisioners.md#scoped-key-recommended) to authenticate the provisioner daemons with Coder. These keys can only be used to authenticate provisioner daemons (not other APIs on the Coder Server).
 
 Store the keys securely and use environment variables to pass them to the provisioner daemon. If on Kubernetes, use a Kubernetes Secret to set the environment variable 
 
@@ -116,11 +116,11 @@ Workspace proxies have unrestricted access to establish encrypted tunnels to wor
 
 ### Authentication
 
-Securely store the workspace proxy token generated by [`coder wsproxy create`](../../admin/networking/workspace-proxies#step-1-create-the-proxy). Inject the token to the workspace proxy process via an environment variable, rather than via an argument. If on Kubernetes, use a Kubernetes Secret to set the environment variable.
+Securely store the workspace proxy token generated by [`coder wsproxy create`](../../admin/networking/workspace-proxies.md#step-1-create-the-proxy). Inject the token to the workspace proxy process via an environment variable, rather than via an argument. If on Kubernetes, use a Kubernetes Secret to set the environment variable.
 
 ### Encryption in Transit
 
-Enable TLS on Coder Server and ensure you use an https:// URL to access the Coder Server.
+Enable TLS on Coder Server and ensure you use an `https://` URL to access the Coder Server.
 
 Communication to the proxied workspace applications is always encrypted with Wireguard. No action is required.
 
@@ -217,11 +217,11 @@ All DERP messages are end-to-end encrypted, so the DERP service only learns the
 
 [STUN](https://en.wikipedia.org/wiki/STUN) is an IETF standard protocol that allows network endpoints behind NAT to learn their public address / port mappings. It is an essential component of Coder’s networking to enable encrypted tunnels to be established without a relay for best performance.  Coder does not ship with a STUN service because it needs to be run directly connected to the network, not behind a reverse proxy or load balancer as Coder usually is.
 
-STUN messages are not encrypted, but do not transmit any tunneled data, they simply query the public address / ports. As such, a STUN service learns the public address and port information (i.e. the address and port on the NAT device) of Coder workspaces and the end user device if STUN is configured. Unlike DERP, it doesn’t definitively learn about communicating pairs of IPs. If you consider the public IP and port information to be sensitive, do not use public STUN servers. You may choose not to configure any STUN servers, in which case most workspace traffic will need to be relayed via DERP. You may choose to deploy your own STUN servers, either on the public Internet, or on your corporate network and [configure Coder to use it](../../reference/cli/server#--derp-server-stun-addresses). If you do not consider the addresses and ports to be sensitive, we recommend using the default set of STUN servers operated by Google.
+STUN messages are not encrypted, but do not transmit any tunneled data, they simply query the public address / ports. As such, a STUN service learns the public address and port information (i.e. the address and port on the NAT device) of Coder workspaces and the end user device if STUN is configured. Unlike DERP, it doesn’t definitively learn about communicating pairs of IPs. If you consider the public IP and port information to be sensitive, do not use public STUN servers. You may choose not to configure any STUN servers, in which case most workspace traffic will need to be relayed via DERP. You may choose to deploy your own STUN servers, either on the public Internet, or on your corporate network and [configure Coder to use it](../../reference/cli/server.md#--derp-server-stun-addresses). If you do not consider the addresses and ports to be sensitive, we recommend using the default set of STUN servers operated by Google.
 
 #### Workspace Apps
 
-Coder workspace apps are a way to allow users to access web applications running in the workspace via the Coder Server or Workspace Proxy. [Disable workspace apps on sub-paths](../../reference/cli/server#--disable-path-apps) of the main Coder domain name, and [use a separate, wildcard domain name](../../admin/setup#wildcard-access-url) for forwarding. Because of the default [same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy) in browsers, serving web apps on the main Coder domain would allow those apps to send API requests to the Coder Server, authenticated as the logged in user without their explicit consent.
+Coder workspace apps are a way to allow users to access web applications running in the workspace via the Coder Server or Workspace Proxy. [Disable workspace apps on sub-paths](../../reference/cli/server.md#--disable-path-apps) of the main Coder domain name, and [use a separate, wildcard domain name](../../admin/setup/index.md#wildcard-access-url) for forwarding. Because of the default [same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy) in browsers, serving web apps on the main Coder domain would allow those apps to send API requests to the Coder Server, authenticated as the logged in user without their explicit consent.
 
 #### Port Sharing