@@ -501,3 +501,36 @@ Note that the JetBrains Gateway configuration blocks for each host in your SSH
501501config file will be overwritten by the JetBrains Gateway client when it
502502re-authenticates to your Coder deployment so you must add the above config as a
503503separate block and not add it to any existing ones.
504+
505+ # ## How can I restrict inbound/outbound file transfers from Coder workspaces?
506+
507+ In certain environments, it is essential to keep confidential files within
508+ workspaces and prevent users from uploading or downloading resources using tools
509+ like `scp` or `rsync`.
510+
511+ To achieve this, template admins can use the environment variable
512+ ` CODER_AGENT_BLOCK_FILE_TRANSFER` to enable additional SSH command controls.
513+ This variable allows the system to check if the executed application is on the
514+ block list, which includes `scp`, `rsync`, `ftp`, and `nc`.
515+
516+ ` ` ` hcl
517+ resource "docker_container" "workspace" {
518+ ...
519+ env = [
520+ "CODER_AGENT_TOKEN=${coder_agent.main.token}",
521+ "CODER_AGENT_BLOCK_FILE_TRANSFER=true",
522+ ...
523+ ]
524+ }
525+ ` ` `
526+
527+ # ### Important Notice
528+
529+ This control operates at the `ssh-exec` level or during `sftp` sessions. While
530+ it can help prevent automated file transfers using the specified tools, users
531+ can still SSH into the workspace and manually initiate file transfers. The
532+ primary purpose of this feature is to warn and discourage users from downloading
533+ confidential resources to their local machines.
534+
535+ For more advanced security needs, consider adopting an endpoint security
536+ solution.