DISPLAY environment variable to point to a local TCP socket opened there by sshd, which then tunnels the X11 communication back to ssh. Sshd then also calls xauth to add at the remote site an MIT-MAGIC-COOKIE-1 string into .Xauthority there, which then authorizes X11 clients there to access the ssh user's local X server.

X11 connections between client and server over a network can also be protected using other secure-channel protocols, such as Kerberos/GSSAPI