Look at either putting it behind a reverse proxy or using the built in Let’s Encrypt / ACME configuration.

Suggested documentation:

• headscale.net/stable/ref/…/reverse-proxy/
• headscale.net/stable/ref/tls/

The config linked to in their documentation states

# Address to listen to / bind to on the server
#
# For production:
# listen_addr: 0.0.0.0:8080
listen_addr: 127.0.0.1:8080

# Address to listen to /metrics and /debug, you may want
# to keep this endpoint private to your internal network
metrics_listen_addr: 127.0.0.1:9090

Port 8080 TCP is used for the connection, 9090 TCP is for metrics and not suggested to port forward. If you use a reverse proxy, you not need to port forward to either of those ports directly, and instead to the reverse proxy.