A secure installation of RStudio encrypts network traffic using SSL. SSL doesn’t come pre-configured since it requires certificates signed by a Certificate Authority (CA) trusted by all parties.

Use SSL for Web Users

If your configuration of RStudio is accessed directly by end users, see the SSL Configuration section, which describes how you can ensure that HTTPS is used when RStudio is accessed via a web browser. Note that this does not apply if you are terminating SSL upstream, for example when you are using nginx or Apache in front of RStudio as described in Running with a Proxy and handling SSL there.

Use SSL for the Job Launcher

Ensure that communication with the Job Launcher is encrypted by setting launcher-use-ssl=1 as follows:

# /etc/rstudio/rserver.conf

Note that additional configuration for the Job Launcher is required to make it possible to connect to it over SSL. See Job Launcher Configuration for details. Example Launcher configuration:

# /etc/rstudio/launcher.conf

Restrict TLS Versions

RStudio Workbench supports many different SSL protocols for compatibility with older browsers, but several are no longer considered secure. We recommend disabling support for all SSL protocols except the most recent two, TLS 1.2 and 1.3. See the SSL Protocols section for more details.

# /etc/rstudio/rserver.conf
ssl-protocols=TLSv1.2 TLSv1.3

Use HTTP Strict Transport Security (HSTS)

When configured with SSL, RStudio Workbench uses HTTP Strict Transport Security automatically. This is a security setting that forces the browser to always use HTTPS when connecting to RStudio Workbench. We recommend including the maximum age to 1 year, and extending coverage to subdomains.

# /etc/rstudio/rserver.conf

This ensures that the browser will not connect via HTTP to the domain running RStudio Server (and any of its subdomains) for one year.

Using SSL with RStudio Server Open Source

RStudio Workbench has built-in SSL and HTTPS controls as described in this section. However, much of the same advice applies if you are securing an installation of the Open Source edition of RStudio Server; you can run RStudio Server behind a reverse proxy such as Nginx and perform SSL termination upstream.