Enhancing Nectari security
By default, when you do an installation, you have a web browser which sends queries to the IIS Website (Nectari Web Server) (set on HTTP by default). Right after, the website will communicate with IIS, then IIS will do the same with the SQL Server.
So starting from this point, we already can secure IIS (highly recommanded).
In relation to Excel Add-In, if you secure the website (IIS) and make possible external access, it will be sufficient at least for Chrome.