8 Security & Auditing
8.1 API Security
8.1.1 Preventing Brute Force & Dictionary Attacks
By default, RStudio Connect allows as many login attempts as it can handle from any source when using the PAM, LDAP, and Password authentication providers. Users will be able to log in directly by entering their user name and password.
Setting the Authentication.ChallengeResponseEnabled
flag to true
enables a CAPTCHA form in the login screen, and requires that CAPTCHA be solved in order to authenticate. Both visual and audio CAPTCHA challenges are provided for accessibility needs.
8.2 Browser Security
There are a variety of security settings that can be configured in RStudio Connect. Some of these settings are enabled by default but can be customized while others are opt-in. Below are some of the security features worth considering.
8.2.1 Web Sudo Mode
When a user performs a sensitive operation in a web browser (such as creating a new API key), they will be asked to reenter their login credentials. Once the user enters their password properly, their session will enter a privileged state internally referred to as “web sudo mode” which will allow them to perform these sensitive operations for a certain window of time without entering their password again. Note that this privileged mode is a notion purely internal to RStudio Connect and entirely unrelated to the server’s actual sudo
or PAM settings.
This feature is not available on servers configured to use proxied authentication or Google OAuth2, as these providers don’t have a mechanism for reprompting the user for their password.
For all other authentication providers, the WebSudoMode
and WebSudoModeDuration
configuration options are available within the section pertaining to that provider. If WebSudoMode
is set to false
, then this protection is disabled; effectively, all authenticated users are always in privileged mode. WebSudoModeDuration
controls the length of time for which a user stays in this privileged mode. For password authentication, for example, you could configure:
[Password]
WebSudoMode = true
WebSudoModeDuration = 10m
In this case, users would be prompted for their password before performing sensitive actions, then would be allowed to continue performing sensitive actions for up to 10 minutes without additional prompts. After that point, any sensitive actions would require entering their password again.
Regardless of the setting, web sudo mode will never affect calls made outside of a browser using a token or an API key.
8.2.2 Guaranteeing HTTPS
If you can guarantee that your server should only ever be accessed over a TLS/SSL connection (HTTPS), then you can consider enabling the Https.Permanent
setting. This elevates the security of your server by requiring that future interactions between your users and this server must be encrypted.
Enabling this setting may keep users from being able to access your RStudio Connect instance if you later disable HTTPS or if your certificate expires. Use this setting only if you will permanently provide a valid TLS/SSL certificate on this server.
Behind the scenes, this makes two changes:
- Introduces HTTP Strict Transport Security (HSTS) by adding a
Strict-Transport-Security
HTTP header with amax-age
set to 30 days. HSTS ensures that your users’ browsers will not trust a service hosted at this location unless it is protected with a trusted TLS/SSL certificate. - Enforces the
Secure
flag on cookies that are set. This prohibits your users’ browsers from sending their RStudio Connect cookies to a server without an HTTPS-secured connection.
8.2.3 Content Sniffing
The Server.ContentTypeSniffing
setting can be used to configure HTTP responses with the X-Content-Type-Options
header. This header can protect your users from a certain class of malicious uploads.
When Server.ContentTypeSniffing
is disabled (the default), the X-Content-Type-Options
HTTP header is given the value of nosniff
. This instructs browsers not to inspect the content in an attempt to identify its type.
When Server.ContentTypeSniffing
is enabled, the X-Content-Type-Options
HTTP header is not sent; browsers are free to analyze the content to detect its type.
8.2.4 Content Embedding
The X-Frame-Options
HTTP header is used to control what content can be embedded inside other content in a web browser. The relevant attack is commonly referred to as a “clickjack attack” and involves having your users interact with a sensitive service without their knowledge.
For the purposes of the X-Frame-Options
header, RStudio Connect distinguishes between “dashboard” and “user” content. Dashboard content are any of the internal services or assets that are shipped with RStudio Connect. User content is anything uploaded by a user (reports, Shiny applications, Plumber APIs, etc.)
Server.FrameOptionsContent
configures the X-Frame-Options
header value for user-uploaded content. By default it is empty, meaning that the header will not be set. This allows user-provided content to be embedded in iframes from any location. If you do not intend for others to embed user content on their sites, you can set this to a value of SAMEORIGIN
to ensure that only sites on the same server will be able to embed your users’ content. The RStudio Connect dashboard itself uses iframes to present user content in the dashboard, so it is not recommended to set this option to DENY
.
Server.FrameOptionsDashboard
configures the X-Frame-Options
header value for internal services and assets provided with RStudio Connect and defaults to a value of DENY
. This means that other sites will not be able to embed the RStudio Connect dashboard. This setting is more secure in that it protects against clickjacking attacks against the dashboard, but if you plan to embed the dashboard elsewhere you may need to tune this setting.
Some advertised values for this header are not supported across all browsers. RStudio Connect does not restrict the values of these headers.
8.2.5 Custom Headers
If you need to include additional HTTP headers that are not covered by any of the above features, you can include your own custom headers on all responses from RStudio Connect using the Server.CustomHeader
setting.
This feature can be used to accommodate various other security practices that are not explicitly available as options elsewhere in Connect. For instance, X-XSS-Protection, Content Security Policy (CSP), HTTP Public Key Pinning (HPKP), and Cross-origin Resource Sharing (CORS) could all be configured using custom headers.
Custom headers are added to the HTTP response early during request processing. Values may later be overwritten or modified by other header settings. This includes both the security preferences described earlier in this chapter and other headers used internally by RStudio Connect, by Plumber, or by Shiny. You should not depend on a custom header that conflicts with a header already in use by RStudio Connect.
The Server.CustomHeader
takes a value of the header name and its value separated by a colon. Whitespace surrounding the header name and its value are trimmed. You can use this setting multiple times as in the following example:
[Server]
CustomHeader = “HeaderA: some value”
CustomHeader = “HeaderB: another value”
8.3 Audit Logs
RStudio Connect records information about changes to the system. These events can later be retrieved for auditing purposes.
This table contains the event types logged by the auditing system:
Event | Description |
---|---|
add_user |
Create a user |
edit_user |
Change an existing user |
update_lock_user |
Set or remove a lock for an existing user |
add_application |
Add new content |
upload_bundle |
Upload a bundle for a content |
deploy_application |
Deploy content to the server. Content may need to be published after deployment. |
edit_application |
Change content settings |
remove_application |
Delete content |
activate_token |
Activate a token. Tokens are used by the rsconnect package to authenticate a user. |
add_group |
Create a group |
remove_group |
Delete a group |
add_group_member |
Add a user to a group |
remove_group_member |
Remove a user from a group |
assign_user_app_role |
Give a user view or edit access to content |
remove_user_app_role |
Remove a user from view or edit access list |
assign_group_app_role |
Give a group view or edit access to content |
remove_group_app_role |
Remove a group from view or edit access list |
clear_app_viewer_acl |
Change from a specific list of viewers to “just me” |
add_api_key |
Add API key |
remove_api_key |
Remove API key |
add_vanity |
Add vanity URL |
update_vanity |
Update vanity URL |
remove_vantiy |
Remove vanity URL |
remove_bundle |
Remove a bundle |
download_bundle |
Download a bundle |
add_tag |
Create a tag/category |
remove_tag |
Delete a tag/category |
update_tag |
Update a tag/category |
assign_tag_to_parent |
Associate a tag with some parent tag/category |
add_app_tag |
Associate a tag with content |
remove_app_tag |
Disassociate a tag with content |
updated_environment_variables |
Change to application environment variables |
8.3.1 Audit Logs Command-Line Interface
See Appendix B for more information on using the usermanager
CLI to dump audit logs.
8.4 Application Environment Variables
User-specified environment variables for applications are encrypted on-disk and in-memory. They are decrypted only when a process is about to be started.