From 1dcc3f4964c2c3880deb3021da50fe1b8b21cd1b Mon Sep 17 00:00:00 2001 From: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com> Date: Tue, 17 Jun 2025 21:10:43 +0000 Subject: [PATCH 1/5] add disable path-based app section --- .../best-practices/security-best-practices.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/tutorials/best-practices/security-best-practices.md b/docs/tutorials/best-practices/security-best-practices.md index 2c9ffbbb111c8..e8c644b914435 100644 --- a/docs/tutorials/best-practices/security-best-practices.md +++ b/docs/tutorials/best-practices/security-best-practices.md @@ -66,6 +66,19 @@ logs (which have `msg: audit_log`) and retain them for a minimum of two years If a security incident with Coder does occur, audit logs are invaluable in determining the nature and scope of the impact. +### Disable path-based apps + +By default, path-based apps are enabled in Coder to make demos and trials easier for new users. + +In production deployments, however, path-based apps reduce security significantly as it allows user workspace apps to be hosted on the same domain as other apps and the Coder API itself in the default region. + +We recommend turning off path-based apps after you have configured and enabled subdomain apps via a wildcard DNS entry. + +The impact of having path-based apps enabled is mitigated by default, but we still recommend disabling it to prevent malicious workspaces accessing other workspaces owned by the same user or performing requests against the Coder API: + +- Path-based apps cannot be shared with other users without a special flag `--dangerous-allow-path-app-sharing` +- Users with the site "owner" role cannot use their admin privileges to access path-based apps for workspace they do not own without a special flag `--dangerous-allow-path-app-site-owner-access` + ## PostgreSQL PostgreSQL is the persistent datastore underlying the entire Coder deployment. From 3a354134476b8195113f849960983d7403a9eeb1 Mon Sep 17 00:00:00 2001 From: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com> Date: Tue, 17 Jun 2025 21:28:03 +0000 Subject: [PATCH 2/5] edit path-based apps section --- .../best-practices/security-best-practices.md | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/docs/tutorials/best-practices/security-best-practices.md b/docs/tutorials/best-practices/security-best-practices.md index e8c644b914435..6e68080b85af3 100644 --- a/docs/tutorials/best-practices/security-best-practices.md +++ b/docs/tutorials/best-practices/security-best-practices.md @@ -68,16 +68,28 @@ determining the nature and scope of the impact. ### Disable path-based apps -By default, path-based apps are enabled in Coder to make demos and trials easier for new users. +For production deployments, disable path-based apps. -In production deployments, however, path-based apps reduce security significantly as it allows user workspace apps to be hosted on the same domain as other apps and the Coder API itself in the default region. +Path-based apps share the same origin as the Coder API. +This setup is convenient for demos, but can expose the deployment to cross-site-scripting (XSS) attacks in production. +A malicious workspace could reuse Coder cookies to call the API or interact with other workspaces owned by the same user. -We recommend turning off path-based apps after you have configured and enabled subdomain apps via a wildcard DNS entry. +1. [Enable sub-domain apps with a wildcard DNS record](../../admin/setup/index.md#wildcard-access-url) (like `*.coder.example.com`) -The impact of having path-based apps enabled is mitigated by default, but we still recommend disabling it to prevent malicious workspaces accessing other workspaces owned by the same user or performing requests against the Coder API: +1. Disable path-based apps: -- Path-based apps cannot be shared with other users without a special flag `--dangerous-allow-path-app-sharing` -- Users with the site "owner" role cannot use their admin privileges to access path-based apps for workspace they do not own without a special flag `--dangerous-allow-path-app-site-owner-access` + ```shell + coderd server --disable-path-apps + # or + export CODER_DISABLE_PATH_APPS=true + ``` + +By default, Coder mitigates the impact of having path-based apps enabled, but we still recommend disabling it to prevent malicious workspaces accessing other workspaces owned by the same user or performing requests against the Coder API. + +If you do keep path-based apps enabled, Coder limits the risk: + +- Path-based apps cannot be shared with other users unless you start the Coder server with `--dangerous-allow-path-app-sharing`. +- Users with the site `owner` role cannot use their admin privileges to access path-based apps for workspace unless the server is started with `--dangerous-allow-path-app-site-owner-access`. ## PostgreSQL From a5486ca4a7042e64a4294c308c75bf285894e131 Mon Sep 17 00:00:00 2001 From: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com> Date: Tue, 17 Jun 2025 21:33:44 +0000 Subject: [PATCH 3/5] link to disable path-based --- docs/admin/setup/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/admin/setup/index.md b/docs/admin/setup/index.md index f72ca5b2f8df1..83b15041ce549 100644 --- a/docs/admin/setup/index.md +++ b/docs/admin/setup/index.md @@ -60,6 +60,8 @@ If you are providing TLS certificates directly to the Coder server, either options (these both take a comma separated list of files; list certificates and their respective keys in the same order). +After you enable a wildcard sub-domain, [disable path-based apps](../../tutorials/best-practices/security-best-practices.md). + ## TLS & Reverse Proxy The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and From 0dffcbe794e70232f4210f89c33af98ac0d12d9a Mon Sep 17 00:00:00 2001 From: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com> Date: Tue, 17 Jun 2025 21:34:25 +0000 Subject: [PATCH 4/5] link to heading --- docs/admin/setup/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/setup/index.md b/docs/admin/setup/index.md index 83b15041ce549..fccd74d0f4d2b 100644 --- a/docs/admin/setup/index.md +++ b/docs/admin/setup/index.md @@ -60,7 +60,7 @@ If you are providing TLS certificates directly to the Coder server, either options (these both take a comma separated list of files; list certificates and their respective keys in the same order). -After you enable a wildcard sub-domain, [disable path-based apps](../../tutorials/best-practices/security-best-practices.md). +After you enable a wildcard sub-domain, [disable path-based apps](../../tutorials/best-practices/security-best-practices.md#disable-path-based-apps). ## TLS & Reverse Proxy From d2bb9f32643b2f1435ec1f6d920d805e85137c58 Mon Sep 17 00:00:00 2001 From: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com> Date: Wed, 18 Jun 2025 17:52:48 +0000 Subject: [PATCH 5/5] suggestions from review --- docs/admin/setup/index.md | 2 +- docs/tutorials/best-practices/security-best-practices.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/admin/setup/index.md b/docs/admin/setup/index.md index fccd74d0f4d2b..a0ffaa0f5211a 100644 --- a/docs/admin/setup/index.md +++ b/docs/admin/setup/index.md @@ -60,7 +60,7 @@ If you are providing TLS certificates directly to the Coder server, either options (these both take a comma separated list of files; list certificates and their respective keys in the same order). -After you enable a wildcard sub-domain, [disable path-based apps](../../tutorials/best-practices/security-best-practices.md#disable-path-based-apps). +After you enable the wildcard access URL, you should [disable path-based apps](../../tutorials/best-practices/security-best-practices.md#disable-path-based-apps) for security. ## TLS & Reverse Proxy diff --git a/docs/tutorials/best-practices/security-best-practices.md b/docs/tutorials/best-practices/security-best-practices.md index 6e68080b85af3..63cf22abb9bc6 100644 --- a/docs/tutorials/best-practices/security-best-practices.md +++ b/docs/tutorials/best-practices/security-best-practices.md @@ -68,10 +68,10 @@ determining the nature and scope of the impact. ### Disable path-based apps -For production deployments, disable path-based apps. +For production deployments, we recommend that you disable path-based apps after you've configured a wildcard access URL. -Path-based apps share the same origin as the Coder API. -This setup is convenient for demos, but can expose the deployment to cross-site-scripting (XSS) attacks in production. +Path-based apps share the same origin as the Coder API, which can be convenient for trialing Coder, +but can expose the deployment to cross-site-scripting (XSS) attacks in production. A malicious workspace could reuse Coder cookies to call the API or interact with other workspaces owned by the same user. 1. [Enable sub-domain apps with a wildcard DNS record](../../admin/setup/index.md#wildcard-access-url) (like `*.coder.example.com`) @@ -86,7 +86,7 @@ A malicious workspace could reuse Coder cookies to call the API or interact with By default, Coder mitigates the impact of having path-based apps enabled, but we still recommend disabling it to prevent malicious workspaces accessing other workspaces owned by the same user or performing requests against the Coder API. -If you do keep path-based apps enabled, Coder limits the risk: +If you do keep path-based apps enabled: - Path-based apps cannot be shared with other users unless you start the Coder server with `--dangerous-allow-path-app-sharing`. - Users with the site `owner` role cannot use their admin privileges to access path-based apps for workspace unless the server is started with `--dangerous-allow-path-app-site-owner-access`.