7 Security & Auditing

7.1 Browser Security

There are a variety of security settings that can be configured in RStudio Connect. Some of these settings are enabled by default but can be customized while others are opt-in. Below are some of the security features worth considering.

7.1.1 Guaranteeing HTTPS

If you can guarantee that your server should only ever be accessed over a TLS/SSL connection (HTTPS), then you can consider enabling the Https.Permanent setting. This elevates the security of your server by requiring that future interactions between your users and this server must be encrypted.

Enabling this setting may keep users from being able to access your RStudio Connect instance if you later disable HTTPS or if your certificate expires. Use this setting only if you will permanently provide a valid TLS/SSL certificate on this server.

Behind the scenes, this makes two changes:

  1. Introduces HTTP Strict Transport Security (HSTS) by adding a Strict-Transport-Security HTTP header with a max-age set to 30 days. HSTS ensures that your users’ browsers will not trust a service hosted at this location unless it is protected with a trusted TLS/SSL certificate.
  2. Enforces the Secure flag on cookies that are set. This prohibits your users’ browsers from sending their RStudio Connect cookies to a server without an HTTPS-secured connection.

7.1.2 Content Sniffing

The Server.ContentTypeSniffing setting can be used to configure the X-Content-Type-Options HTTP header. This protects your users from a certain class of malicious uploads and is enabled by default.

When disabled (the default), the X-Content-Type-Options HTTP header will be set to a value of nosniff to tell browsers not to sniff the content type. If enabled, no such header will be provided.

7.1.3 Content Embedding

The X-Frame-Options HTTP header is used to control what content can be embedded inside other content in a web browser. The relevant attack is commonly referred to as a “clickjack attack” and involves having your users interact with a sensitive service without their knowledge.

For the purposes of the X-Frame-Options header, RStudio Connect distinguishes between “dashboard” and “user” content. Dashboard content are any of the internal services or assets that are shipped with RStudio Connect. User content is anything uploaded by a user (reports, Shiny applications, etc.)

Server.FrameOptionsContent configures the X-Frame-Options header value for user-uploaded content. By default it is empty, meaning that the header will not be set. This allows user-provided content to be embedded in iframes from any location. If you do not intend for others to embed user content on their sites, you can set this to a value of SAMEORIGIN to ensure that only sites on the same server will be able to embed your users’ content. The RStudio Connect dashboard itself uses iframes to present user content in the dashboard, so it is not recommended to set this option to DENY.

Server.FrameOptionsDashboard configures the X-Frame-Options header value for internal services and assets provided with RStudio Connect and defaults to a value of DENY. This means that other sites will not be able to embed the RStudio Connect dashboard. This setting is more secure in that it protects against clickjacking attacks against the dashboard, but if you plan to embed the dashboard elsewhere you may need to tune this setting.

Some advertised values for this header are not supported across all browsers. RStudio Connect does not restrict the values of these headers.

7.1.4 Custom Headers

If you need to include additional HTTP headers that are not covered by any of the above features, you can include your own custom headers on all responses from RStudio Connect using the Server.CustomHeader setting.

This feature can be used to accommodate various other security practices that are not explicitly available as options elsewhere in Connect. For instance, X-XSS-Protection, Content Security Policy (CSP), HTTP Public Key Pinning (HPKP), and Cross-origin Resource Sharing (CORS) could all be configured using custom headers.

Custom headers are added to the HTTP response early during request processing. Values may later be overwritten or modified by other header settings. This includes both the security preferences described earlier in this chapter and other headers used internally by RStudio Connect or by Shiny. You should not depend on a custom header that conflicts with a header already in use by RStudio Connect.

The Server.CustomHeader takes a value of the header name and its value separated by a colon. Whitespace surrounding the header name and its value are trimmed. You can use this setting multiple times as in the following example:

[Server]
CustomHeader = “HeaderA: some value” 
CustomHeader = “HeaderB: another value” 

7.2 Audit Logs

The following events are logged by the auditing system:

Event Description
add_user Create a user
edit_user Change an existing user
update_lock_user Set or remove a lock for an existing user
add_application Add new content
upload_bundle Upload a bundle for a content
deploy_application Deploy content to the server. Note that content still needs to published after deployment.
edit_application Change content settings
remove_application Delete content
activate_token Activate a token. Tokens are used by the rsconnect package to authenticate a user.
add_group Create a group
remove_group Delete a group
add_group_member Add a user to a group
remove_group_member Remove a user from a group
assign_user_app_role Give a user view or edit access to content
remove_user_app_role Remove a user from view or edit access list
assign_group_app_role Give a group view or edit access to content
remove_group_app_role Remove a group from view or edit access list
clear_app_viewer_acl Change from a specific list of viewers to “just me”
add_api_key Added API key
remove_api_key Removed API key
add_vanity Add vanity url
update_vanity Update vanity url
remove_vantiy Remove vanity url
remove_bundle Remove a bundle
download_bundle Download a bundle
add_tag Create a tag/category
remove_tag Delete a tag/category
update_tag Update a tag/category
assign_tag_to_parent Associate a tag with some parent tag/category
add_app_tag Associate a tag with content
remove_app_tag Disassociate a tag with content

7.3 Audit Logs Command-Line Interface

See Appendix B for more information on using the usermanager CLI to dump audit logs.