16 Hardening
RStudio uses secure defaults wherever possible, but for maximal security hardening it’s necessary to use values that make stronger assumptions or require additional configuration. This section of the Administration Guide demonstrates the use of these more secure configuration values and describes other security considerations.
A summary of these recommendations in the form of a set of example configuration files is presented at the end of this section: Example Secure Configuration
16.1 Set up SSL
A secure installation of RStudio encrypts network traffic using SSL. SSL doesn’t come pre-configured since it requires certificates signed by a Certificate Authority (CA) trusted by all parties.
16.1.1 Use SSL for Web Users
If your configuration of RStudio is accessed directly by end users, see the SSL Configuration section, which describes how you can ensure that HTTPS is used when RStudio is accessed via a web browser. Note that this does not apply if you are terminating SSL upstream, for example when you are using nginx or Apache in front of RStudio as described in Running with a Proxy and handling SSL there.
16.1.2 Use SSL for the Job Launcher
Ensure that communication with the Job Launcher is encrypted by setting launcher-use-ssl=1
as follows:
/etc/rstudio/rserver.conf
launcher-use-ssl=1
Note that additional configuration for the Job Launcher is required to make it possible to connect to it over SSL. See Job Launcher Configuration for details. Example Launcher configuration:
/etc/rstudio/launcher.conf
enable-ssl=1
certificate-file=/var/certs/your_domain_name.crt
certificate-key-file=/var/certs/your_domain_name.key
16.1.3 Restrict TLS Versions
RStudio Workbench supports many different SSL protocols for compatibility with older browsers, but several are no longer considered secure. We recommend disabling support for all SSL protocols except the most recent two, TLS 1.2 and 1.3. See the SSL Protocols section for more details.
/etc/rstudio/rserver.conf
ssl-protocols=TLSv1.2 TLSv1.3
16.1.4 Use HTTP Strict Transport Security (HSTS)
When configured with SSL, RStudio Workbench uses HTTP Strict Transport Security automatically. This is a security setting that forces the browser to always use HTTPS when connecting to RStudio Workbench. We recommend including the maximum age to 1 year, and extending coverage to subdomains.
/etc/rstudio/rserver.conf
ssl-hsts-max-age=31536000
ssl-hsts-include-subdomains=1
This ensures that the browser will not connect via HTTP to the domain running RStudio Server (and any of its subdomains) for one year.
16.1.5 Using SSL with RStudio Server Open Source
RStudio Workbench has built-in SSL and HTTPS controls as described in this section. However, much of the same advice applies if you are securing an installation of the Open Source edition of RStudio Server; you can run RStudio Server behind a reverse proxy such as Nginx and perform SSL termination upstream.
16.2 Browser Security
This section summarizes the recommendations in the Access and Security section.
16.2.1 Enable Origin Checks
To help mitigate against CSRF attacks, RStudio can automatically reject any request that originated from a domain it doesn’t recognize. To enable this check, add the following configuration:
/etc/rstudio/rserver.conf
www-enable-origin-check=1
www-allow-origin=mysubdomain.mydomain.com
The www-allow-origin
setting is optional, but is helpful when RStudio is running behind a proxy. See Additional Security Considerations for details.
16.2.2 Disable Frame Embedding
By default, RStudio does not permit frame embedding (that is, it will not load inside another web page’s <frameset>
or <iframe>
). No change is necessary to enforce this, but you can request it explicitly as follows:
/etc/rstudio/rserver.conf
www-frame-origin=none
16.3 R Session Security
RStudio includes a number of options which can help harden the surface of the RStudio IDE itself. The settings in this section all apply to the IDE’s user interface for R sessions.
Remember that RStudio is an interface to R itself, which has a variety of tools that can access the file system and shell as the user themselves. Follow security best practices by relying on operating system-level permissions, not front end restrictions, to guard access to sensitive content and files.
16.3.1 Limit Idle Time
By default, RStudio allows users to be idle for up to an hour before automatically signing them out. If your users work with sensitive data, you may wish to decrease this.
/etc/rstudio/rserver.conf
auth-timeout-minutes=20
See Inactivity Timeout for details.
16.3.2 Restrict System Directory Access
RStudio can optionally prevent users from browsing to system directories; see Restricted Directories for details. Enable this feature as follows:
/etc/rstudio/rsession.conf
restrict-directory-view=1
16.3.3 Disable External Publishing
RStudio includes support for publishing to several external services, including RPubs and Shinyapps.io. If your users work with sensitive information, you should disable publishing to these services as follows:
/etc/rstudio/rsession.conf
allow-external-publish=0
16.3.4 Disable Other Features
The are a few other features you should consider disabling. We have not included them in our Example Secure Configuration because they can impede productivity for end users.
- Disable shell access (
allow-shell=0
); disables the Terminal tab used to execute system commands - Disable file downloads (
allow-file-downloads=0
); disables downloading files using the Files pane - Disable file uploads (
allow-file-uploads=0
); disables uploading files using the Files pane - Disable package installation (
allow-package-installation=0
); disables the user interface for installing R packages
Note that regardless of the values of these settings, users can execute system commands, install packages, and upload and download content using R itself.
16.4 Other
16.4.1 Encrypt Database Password
When using PostgreSQL as a database provider, ensure that you’re using an encrypted database password as described in PostgreSQL password encryption.
/etc/rstudio/database.conf
# Generated by rstudio-server encrypt-password
password=ThX7skaB8VhMRk7jQr1J3lS0fk+GLmXDp3JIVcHwPiK1CMixSIEsNTt3cNBYj9Rx
16.4.2 Enforce Group Requirement
By default, anyone who can successfully authenticate on the system can use the IDE. You can get more control over who’s able to log into the system by creating a group such as rstudio-users
and instructing RStudio to limit access to that group.
/etc/rstudio/rserver.conf
auth-required-user-group=rstudio-users
16.5 Example Secure Configuration
This section aggregates all of the security recommendations from the above sections. Note, again, that some adjustment is likely to be necessary depending on your environment; for example, this set of configuration values presumes that SSL termination is happening in RStudio, that RStudio is the only application running on its domain, and that it is never embedded in another page.
Therefore, use these files as a starting point rather than copying and pasting them into your own system.
/etc/rstudio/rsession.conf
# Disable publishing to RPubs and shinyapps.io
allow-external-publish=0
# Prevent exploration of system directories
restrict-directory-view=1
/etc/rstudio/rserver.conf
# Limit access to those users to whom it's been explicitly granted via group membership
auth-required-user-group=rstudio-users
# Sign users out after 20 minutes of inactivity (default is 60)
auth-timeout-minutes=20
# Use HTTPS when connecting to web browsers
ssl-enabled=1
ssl-certificate=/var/certs/your_domain_name.crt
ssl-certificate-key=/var/certs/your_domain_name.key
# Limit SSL protocol versions to modern TLS
ssl-protocols=TLSv1.2 TLSv1.3
# Increase HTTP Strict Transport Security to 1 year and include subdomains
ssl-hsts-max-age=31536000
ssl-hsts-include-subdomains=1
# Enable origin checks on all HTTP requests (CSRF defense)
www-enable-origin-check=1
# Ensure that the domain on which RStudio is hosted is permitted as an origin
www-allow-origin=mysubdomain.mydomain.com
# Ensure the SameSite attribute is set on all cookies
www-same-site=lax
# Disallow embedding on other pages
www-frame-origin=none
# Use HTTPS when connecting to the Job Launcher
launcher-use-ssl=1
/etc/rstudio/launcher.conf
enable-ssl=1
certificate-file=/var/certs/your_domain_name.crt
certificate-key-file=/var/certs/your_domain_name.key
/etc/rstudio/database.conf
# Generated by rstudio-server encrypt-password
password=ThX7skaB8VhMRk7jQr1J3lS0fk+GLmXDp3JIVcHwPiK1CMixSIEsNTt3cNBYj9Rx