diff --git a/docs/admin/setup/index.md b/docs/admin/setup/index.md
index f72ca5b2f8df1..a0ffaa0f5211a 100644
--- a/docs/admin/setup/index.md
+++ b/docs/admin/setup/index.md
@@ -60,6 +60,8 @@ If you are providing TLS certificates directly to the Coder server, either
    options (these both take a comma separated list of files; list certificates
    and their respective keys in the same order).
 
+After you enable the wildcard access URL, you should [disable path-based apps](../../tutorials/best-practices/security-best-practices.md#disable-path-based-apps) for security.
+
 ## TLS & Reverse Proxy
 
 The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and
diff --git a/docs/tutorials/best-practices/security-best-practices.md b/docs/tutorials/best-practices/security-best-practices.md
index 2c9ffbbb111c8..61c48875e0f6d 100644
--- a/docs/tutorials/best-practices/security-best-practices.md
+++ b/docs/tutorials/best-practices/security-best-practices.md
@@ -66,6 +66,33 @@ logs (which have `msg: audit_log`) and retain them for a minimum of two years
 If a security incident with Coder does occur, audit logs are invaluable in
 determining the nature and scope of the impact.
 
+### Disable path-based apps
+
+For production deployments, we recommend that you disable path-based apps after you've configured a wildcard access URL.
+
+Path-based apps share the same origin as the Coder API, which can be convenient for trialing Coder,
+but can expose the deployment to cross-site-scripting (XSS) attacks in production.
+A malicious workspace could reuse Coder cookies to call the API or interact with other workspaces owned by the same user.
+
+1. [Enable sub-domain apps with a wildcard DNS record](../../admin/setup/index.md#wildcard-access-url) (like `*.coder.example.com`)
+
+1. Disable path-based apps:
+
+   ```shell
+   coderd server --disable-path-apps
+   # or
+   export CODER_DISABLE_PATH_APPS=true
+   ```
+
+By default, Coder mitigates the impact of having path-based apps enabled, but we still recommend disabling it to prevent
+malicious workspaces accessing other workspaces owned by the same user or performing requests against the Coder API.
+
+If you do keep path-based apps enabled:
+
+- Path-based apps cannot be shared with other users unless you start the Coder server with `--dangerous-allow-path-app-sharing`.
+- Users with the site `owner` role cannot use their admin privileges to access path-based apps for workspaces unless the
+  server is started with `--dangerous-allow-path-app-site-owner-access`.
+
 ## PostgreSQL
 
 PostgreSQL is the persistent datastore underlying the entire Coder deployment.

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18419.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18419.diff" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18419.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/18419.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>