Security FAQ

Avatar
Sean Lopp
Follow

Shiny Server Pro 

Clickjacking: 
Shiny Server Pro 1.4.5+ supports opt-in clickjacking prevention via the frames_options directive.  

SSL:

Enabling
SSL encryption can be configured for the server and admin interfaces. The admin guide contains instructions.

Encryption Protocol
Version 1.4.2 updated the list of preferred SSL ciphers. Version 1.4.3 upgraded Node.js to pick up an update to OpenSSL. As of version 1.5.0 Shiny Server Pro's SSL/TLS support includes forward secrecy. 

HSTS Header
Version 1.4.2 introduced the set_header directive to allow administrators to include additional HTTP headers. This directive can be used to specify caching behaviors and HTTP Strict Transport Security (HSTS).

Cross Origin Resource Sharing (CORS):

Version 1.4.2 introduced the set_header directive to allow administrators to include additional HTTP headers. This directive can be used to implement a limited version of CORS support.  

Cross Site Request Forgery (CSRF):

Version 1.4.5 introduced CSRF protection to login and other POST operations. If you are using a custom template for the login page, upgrading to 1.4.5+ will require a change to the login template. 

 

RStudio Workbench (previously RStudio Server Pro)

Security Features for RStudio Workbench are explained here.

Clickjacking:
Version 1.0.136 introduced the www-frame-origin option. By default, RStudio Workbench will not load inside a browser frame, mitigating the risk of clickjacking.

Cookies:
RStudio Workbench uses HTTP only cookies except for the CSRF cookie. 

SSL:

Enabling
See the instructions in the admin guide.

Encryption Protocol
RStudio Workbench supports TLSv1, TLSv1.1, and TLSv1.2, as well as SSLv2 and SSLv3. Admins can specify the protocol using the ssl-protocols configuration.

Secure Cookies
As of version 1.0.136, when SSL is enabled, cookies are marked as secured (HTTPS only).

HSTS Header
As of version 1.0.136, when SSL is enabled, the HSTS header will be set.

Cross Site Request Forgery (CSRF):
CSRF protection is built into the IDE's communication with the R session. Version 1.0.136 adds additional CSRF protection to POST requests by means of a double submit cookie.

  

RStudio Connect

Clickjacking:
RStudio Connect implements support for the X-Frame-Options header to mitigate against clickjacking. The admin guide includes detailed instructions for use.

SSL:

SSL support is included for accessing RStudio Connect content. The admin guide includes instructions for enabling secure content.

Secure Cookies
If administrators enable the Https.Permanent setting, the secure flag will be enforced on all cookies that are set.

HSTS Header
If administrators enable the Https.Permanent setting, the Strict-Transport-Security HTTP (HSTS) header will be set with a maximum age of 30 days. 

Cross Origin Resource Sharing (CORS):
RStudio Connect allows administrators to set custom headers, which can be used to configure CORS.

Comments