Example Secure Configuration
This section aggregates all of the security recommendations from the previous sections. Note, again, that some adjustment is likely to be necessary depending on your environment; for example, this set of configuration values presumes that SSL termination is happening in Posit Workbench, that Workbench is the only application running on its domain, and that it is never embedded in another page.
Therefore, use these files as a starting point rather than copying and pasting them into your own system.
/etc/rstudio/rsession.conf
# Disable publishing to RPubs and shinyapps.io
allow-external-publish=0
# Prevent exploration of system directories
restrict-directory-view=1/etc/rstudio/rserver.conf
# Limit access to those users to whom it's been explicitly granted via group membership
auth-required-user-group=rstudio-users
# Sign users out after 20 minutes of inactivity (default is 60)
auth-timeout-minutes=20
# Use HTTPS when connecting to web browsers
ssl-enabled=1
ssl-certificate=/var/certs/your_domain_name.crt
ssl-certificate-key=/var/certs/your_domain_name.key
# Limit SSL protocol versions to modern TLS
ssl-protocols=TLSv1.2 TLSv1.3
# Increase HTTP Strict Transport Security to 1 year and include subdomains
ssl-hsts-max-age=31536000
ssl-hsts-include-subdomains=1
# Enable origin checks on all HTTP requests (CSRF defense)
www-enable-origin-check=1
# Ensure that the domain on which RStudio is hosted is permitted as an origin
www-allow-origin=mysubdomain.mydomain.com
# Ensure the SameSite attribute is set on all cookies
www-same-site=lax
# Disallow embedding on other pages
www-frame-origin=none
# Use HTTPS when connecting to the Job Launcher
launcher-use-ssl=1/etc/rstudio/launcher.conf
enable-ssl=1
certificate-file=/var/certs/your_domain_name.crt
certificate-key-file=/var/certs/your_domain_name.key /etc/rstudio/database.conf
# Configure SSL certificate authentication with postgres
connection-uri=postgresql://postgresuser@mysubdomain.mydomain.internal:5432/rstudio?sslcert=/etc/ssl/certs/postgresql/postgresql.crt&sslkey=/etc/ssl/certs/cacert/postgresql/postgresql.key&sslrootcert=/etc/ssl/certs/cacert/postgresql/root.crt