code-server exposes a full IDE and terminal in the browser. Treat it like privileged remote access, not like a simple website. Hardening should focus on network exposure, authentication, extension trust, and workspace isolation.
- Keep
bind-addr on loopback (127.0.0.1) and publish through a reverse proxy only.
- Use HTTPS on the public edge (Caddy, NGINX, or another TLS terminator) and force redirects from HTTP.
- Prefer SSH port forwarding for administrative access when possible.
- Do not publish raw code-server directly on the internet without auth and encryption.
¶ 2) Strengthen authentication and session controls
- Use a strong, unique password or
hashed-password in ~/.config/code-server/config.yaml.
- If you use external auth (for example
oauth2-proxy or Pomerium), disable direct code-server password login and enforce SSO policies in the proxy tier.
- Keep default rate limiting in place and add reverse-proxy request throttling for
/login.
- Rotate credentials when administrators change or when backups might have exposed secrets.
¶ 3) Reduce extension and supply-chain risk
- Restrict who can install extensions in shared deployments.
- Prefer vetted extensions from trusted publishers and pin required versions where possible.
- Avoid loading arbitrary VSIX files from untrusted sources.
- Keep code-server updated and patch quickly when security advisories are published.
¶ 4) Isolate runtime and data paths
- Run code-server as a non-root system user with least privilege.
- Isolate project workspaces per user or per tenant to avoid cross-project secret leakage.
- Mount only required directories and avoid exposing host-wide secrets into the runtime.
- Protect backup sets for
~/.config/code-server and workspace data because they can contain credentials and tokens.
- code-server secure exposure guide: https://coder.com/docs/code-server/guide
- code-server FAQ (config, auth, hashed password): https://coder.com/docs/code-server/FAQ
- code-server security policy: https://coder.com/docs/code-server/SECURITY
- code-server source repository: https://github.com/coder/code-server
Any questions?
Feel free to contact us. Find all contact information on our contact page.