Cloud IDE

X-Forwarded-User

Zero-Day Shield

SSO + Zero-Day Protection for code-server (VS Code)

by Coder Inc.

Add SAML/OIDC SSO to code-server — Secure Browser-Based VS Code with Zero Trust

Overview

Why code-server (VS Code) Needs an Authenticated Proxy

code-server runs VS Code in the browser, giving developers full IDE access from any device. But a code-server instance has direct access to the filesystem, terminal, and network of its host — making it equivalent to SSH access. An exposed code-server means attackers can read source code, modify files, run commands, and pivot through your network. OnePAM adds enterprise SSO to code-server, ensuring only authenticated developers can access their IDE environments.

HTTP Header Authentication

X-Forwarded-User

code-server supports proxy authentication via HTTP headers. OnePAM injects the verified user identity, and code-server trusts the authentication from the proxy layer.

Zero-Day Risk Profile

code-server (VS Code) Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

code-server provides full terminal access equivalent to SSH

Source code repositories are directly accessible from the IDE

Extensions can execute arbitrary code on the server

Environment variables may contain API keys and secrets

The Challenge

Security Challenges with code-server (VS Code)

These are the risks organizations face when code-server (VS Code) is not behind an authenticated proxy.

Full Server Access

code-server provides terminal access, file system browsing, and code execution — equivalent to full shell access on the host.

Source Code Exposure

All repositories cloned on the server are accessible through the IDE. A breach means complete source code exfiltration.

Extension Risks

VS Code extensions run with the same privileges as code-server. Malicious or vulnerable extensions can compromise the host.

Password-Only Auth

code-server's built-in authentication is a single shared password. No user identification, no MFA, no audit trail.

Secret Exposure

Environment variables, .env files, and credential files are visible in the IDE file browser and terminal.

No Session Auditing

code-server provides no built-in session recording or audit logging of developer activity.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to code-server (VS Code)

A step-by-step guide to deploying OnePAM's authenticated proxy in front of code-server (VS Code).

Deploy OnePAM as code-server Proxy

Place OnePAM in front of code-server, replacing the built-in password authentication.

code-server is configured with --auth none behind OnePAM. OnePAM handles all authentication.

Configure Your Identity Provider

Connect OnePAM to your SAML 2.0 or OIDC provider for corporate SSO.

Developers authenticate through your IdP with MFA before accessing their cloud IDE.

Enable Identity Injection

OnePAM passes the authenticated developer identity to code-server via HTTP headers.

Each developer gets an individually identified session. No shared passwords, no anonymous access.

Define Access Policies

Control who can access which code-server instances based on IdP groups and project assignments.

Frontend developers access their instances; backend engineers access theirs. Cross-team access requires explicit policy.

Record Development Sessions

Enable session recording for compliance-sensitive development environments.

Full visual recording of IDE sessions for auditing, incident investigation, and compliance evidence.

Business Impact

Benefits of Securing code-server (VS Code) with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of code-server (VS Code).

Eliminate Shared Passwords

Replace code-server's single password with individual corporate identities via SSO.

Zero shared credentials

Protect Source Code

Only authenticated developers can access IDE environments and source code repositories.

Zero unauthorized code access

MFA for IDE Access

Require multi-factor authentication before developers can access their cloud IDE.

MFA-protected development

Developer Accountability

Every IDE session is attributed to a specific developer via corporate identity.

Individual accountability

Instant Access Revocation

Disable a developer in your IdP and code-server access stops immediately.

Real-time offboarding

Compliance Session Recording

Record IDE sessions for regulatory compliance and security auditing.

Full session recordings

SSO Features

code-server (VS Code) SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for code-server (VS Code).

SAML 2.0 & OIDC SSO for code-server

Individual developer identity via proxy auth

Multi-instance code-server SSO

Session recording for compliance

IP and geo-restriction

Device trust verification

Concurrent session management

Automatic session timeout

Terminal activity auditing

Extension marketplace access control

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield code-server (VS Code) from exploitation.

code-server isolated from direct network access

End-to-end TLS encryption

Request-level authentication

WebSocket authentication for terminal sessions

Header injection prevention

Automatic session invalidation on IdP sign-out

Real-World Scenarios

code-server (VS Code) SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of code-server (VS Code).

Development teams accessing cloud IDEs with corporate SSO and MFA

Securing code-server instances for contractor development with session recording

Protecting source code access in regulated industries (finance, healthcare)

Enforcing geo-restrictions on development environments for IP protection

Providing temporary IDE access for code reviews and pair programming

Securing multi-tenant code-server deployments for training and education

Frequently Asked Questions

code-server (VS Code) SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for code-server (VS Code).

Does OnePAM replace code-server's built-in password?

Yes. With OnePAM, code-server runs with --auth none and OnePAM handles all authentication via corporate SSO with MFA.

Does OnePAM work with code-server's terminal?

Yes. OnePAM authenticates the entire code-server session including the integrated terminal. WebSocket connections for terminal sessions pass through OnePAM's authentication.

Can each developer have their own code-server instance?

Yes. OnePAM can route authenticated users to individual code-server instances based on identity, providing isolated development environments.

Does OnePAM affect VS Code extension installation?

No. Extensions install and run normally within code-server. OnePAM only controls who can access the code-server interface.

Can we use OnePAM with Coder (the platform)?

Yes. OnePAM can proxy to Coder's web interface as well, providing an additional authentication layer.

Ready to Secure code-server (VS Code) with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no code-server (VS Code) code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps