Browser Security

This section summarizes the recommendations in the Access and Security section.

Enable origin checks

To help mitigate against CSRF attacks, Posit Workbench can automatically reject any request that originated from a domain it doesn’t recognize. To enable this check, add the following configuration:

/etc/rstudio/rserver.conf
www-enable-origin-check=1
www-allow-origin=mysubdomain.mydomain.com

The www-allow-origin setting is optional, but is helpful when Workbench is running behind a proxy. See Security Considerations for details.

Disable frame embedding

By default, Workbench does not permit frame embedding (that is, it will not load inside another web page’s <frameset> or <iframe>). No change is necessary to enforce this, but you can request it explicitly as follows:

/etc/rstudio/rserver.conf
www-frame-origin=none
Back to top