Disable external X11 for greater security

Turn off this often overlooked service on port 6000

startx -- -nolisten tcp
xhosts +local:

If you never want to run X programs on a remote machine to display on your local machine, then you may as well shut off this non-essential service

The -nolisten tcp is passed directly to the X Server. You may want to put this in a system startup file like /usr/X11R6/lib/X11/xinit/xserverrc or /etc/X11/xinit/xserverrc

The xhosts line means "trust all clients who are on local host". This is fine for a workstation with only one user, like a typical home machine.