12 Security & Auditing
12.1 Browser Security
There are a variety of security settings that can be configured in RStudio Package Manager. Some of these settings are enabled by default but can be customized while others are opt-in. Below are some of the security features worth considering.
12.1.1 Guaranteeing HTTPS
If you can guarantee that your server should only ever be accessed over a
TLS/SSL connection (HTTPS), then you can consider enabling the
setting. This elevates the security of your server by requiring that future
interactions between your users and this server must be encrypted.
Enabling this setting may keep users from being able to access your RStudio Package Manager instance if you later disable HTTPS or if your certificate expires. Use this setting only if you will permanently provide a valid TLS/SSL certificate on this server.
Behind the scenes, this makes two changes:
- Introduces HTTP Strict Transport Security
(HSTS) by adding a
Strict-Transport-SecurityHTTP header with a
max-ageset to 30 days. HSTS ensures that your users’ browsers will not trust a service hosted at this location unless it is protected with a trusted TLS/SSL certificate.
- Enforces the
Secureflag on cookies that are set. This prohibits your users’ browsers from sending their RStudio Package Manager cookies to a server without an HTTPS-secured connection.
12.1.2 Strong HTTPS
Even with HTTPS, you may wish for more constraints on transport settings. Two settings are available to configure HTTPS differently:
HTTPS.MinimumTLS: This setting sets the minimum TLS version. By default, the minimum TLS version supported by RStudio Package Manager is TLS1.1. You can choose to set this configuration setting to “1.2” or back to “1.0”; before doing so, you should check the SSL Labs User Agent List to ensure your browsers will be compatible with the version you select.
HTTPS.ExcludedCiphers: This setting allows you to remove ciphers from the list of ciphers available. This may be useful if your organization has a security policy that disallows certain ciphers to be used.
An example exclusion list could be:
[HTTPS] Listen = 443 MinimumTLS = 1.2 ExcludedCiphers = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ExcludedCiphers = TLS_RSA_WITH_3DES_EDE_CBC_SHA ExcludedCiphers = TLS_RSA_WITH_AES_128_GCM_SHA256 ExcludedCiphers = TLS_RSA_WITH_AES_256_GCM_SHA384 ExcludedCiphers = TLS_RSA_WITH_AES_128_CBC_SHA256 ExcludedCiphers = TLS_RSA_WITH_AES_128_CBC_SHA ExcludedCiphers = TLS_RSA_WITH_AES_256_CBC_SHA ExcludedCiphers = TLS_RSA_WITH_3DES_EDE_CBC_SHA
The strings for the ciphers may be found in the
IANA TLS Parameters List.
For a list of supported ciphers on your platform that may be excluded,
start up RStudio Package Manager and look for the log line beginning
Enabled HTTPS Ciphers:.
12.1.3 Using a Secure Proxy
If you would prefer that the RStudio Package Manager process not have access to your TLS/SSL certificates, you may wish to configure a proxy to handle HTTPS requests. To accomplish this:
- Ensure that your
Server.Addressis set to the proxy address and uses the
true, which will set the
Secureflag on all cookies.
trueto suppress the warning regarding running RStudio Package Manager over an unsecured connection, because the connection between the client and the proxy will be secured.
- If necessary, enable the
HTTPRedirect.Listenoption to redirect proxied plain HTTP connections to HTTPS.
NOTE: Because the connection between the proxy and RStudio Package Manager is not secured in this case, please ensure that the proxy and RStudio Package Manager are connecting on a trusted network where an adversary would not be able to capture plain text credentials. For example, many cloud providers allow isolating servers from the internet while permitting load balancers to access them. Please see your cloud provider’s documentation for more details.
12.1.4 Content Sniffing
Server.ContentTypeSniffing setting can be used to configure the
X-Content-Type-Options HTTP header. This protects your users from a certain
class of malicious
and is enabled by default.
When disabled (the default), the
X-Content-Type-Options HTTP header will be
set to a value of
nosniff to tell browsers not to sniff the content type. If
enabled, no such header will be provided.
12.1.5 Content Embedding
X-Frame-Options HTTP header is used to control what content can be
embedded inside other content in a web browser. The relevant attack is commonly
referred to as a “clickjack
involves having your users interact with a sensitive service without their
Some advertised values for this header are not supported across all browsers. RStudio Package Manager does not restrict the values of these headers.
12.1.6 Custom Headers
If you need to include additional HTTP headers that are not covered by any of the
above features, you can include your own custom headers on all responses from
RStudio Package Manager using the
This feature can be used to accommodate various other security practices that are not explicitly available as options elsewhere in RStudio Package Manager. For instance, X-XSS-Protection, Content Security Policy (CSP), HTTP Public Key Pinning (HPKP), and Cross-origin Resource Sharing (CORS) could all be configured using custom headers.
Custom headers are added to the HTTP response early during request processing. Values may later be overwritten or modified by other header settings. This includes both the security preferences described earlier in this chapter and other headers used internally by RStudio Package Manager. You should not depend on a custom header that conflicts with a header already in use by RStudio Package Manager.
Server.CustomHeader takes a value of the header name and its value
separated by a colon. Whitespace surrounding the header name and its value are
trimmed. You can use this setting multiple times as in the following example:
; /etc/rstudio-pm/rstudio-pm.gcfg [Server] CustomHeader = “HeaderA: some value” CustomHeader = “HeaderB: another value”
12.2 Package Security
RStudio Package Manager allows administrators to decide what packages are allowed into an organization. For CRAN packages, RStudio Package Manager relies on the RStudio Package Service. This service is responsible for creating metadata about the daily changes on CRAN and providing package tar files from CRAN. The metadata and package files are reviewed and tested for consistency and accuracy. The service does not run any security checks. CRAN itself, prior to accepting new packages or packages updates, runs a series of checks that include package installation and compatibility tests.
In the event that a malicious CRAN package was identified, RStudio maintains a package security blog and RSS feed. This blog would be updated with remediation instructions for all RStudio Package Manager users.