Browser Security

This section summarizes the recommendations in the Access and Security section.

Enable origin checks

To help mitigate against CSRF attacks, Posit Workbench can automatically reject any request that originated from a domain it doesn’t recognize. To enable this check, add the following configuration:

/etc/rstudio/rserver.conf

www-enable-origin-check=1
www-allow-origin=mysubdomain.mydomain.com

The www-allow-origin setting is optional, but is helpful when Workbench is running behind a proxy. See Security Considerations for details.

Disable frame embedding

By default, Workbench does not permit frame embedding (that is, it will not load inside another web page’s <frameset> or <iframe>). No change is necessary to enforce this, but you can request it explicitly as follows:

/etc/rstudio/rserver.conf

www-frame-origin=none

Set SameSite cookie header

Workbench does not set the SameSite cookie header by default (see Same site cookies for details). We recommend setting it explicitly.

/etc/rstudio/rserver.conf

www-same-site=lax