session management#
Sessions are saved on the server in Posit Connect. Encrypted session cookies, which are only stored on the client, are deprecated because they offer less security.
When logging into Posit Connect, a browser cookie is used to keep the user logged inSession duration limitSection for details on the default session length and how to change it.
The server regularly checks the data store for expired cookies and deletes them. This happens once an hour by default, but can be set viaAuthentication.CookieSweepDurationconfiguration setting. This does not affect the duration of web sessions controlled by theAuthentication. lifetimeconfiguration setting.
API security#
Avoid brute force and dictionary attacks#
By default, Posit Connect allows as many login attempts as possible from any source when using LDAP, PAM, and password authentication providers. Users can login directly by entering their username and password.
defining theAuthentication.ChallengeResponseEnabledflag tooTRUEtriggers a CAPTCHA form on the login screen and requires the CAPTCHA to be solved in order to authenticate. Audio and visual CAPTCHA challenges are provided for accessibility requirements.
Hide Posit Connect server version and build information#
By default, Posit Connect sets theserverHTTP header to connect version with commit compensation, which looks like thisDefinir Connect v1.2.3-1234. If you want to hide this information, you can configure thisServidor.Nomedoservidorbe arbitrary. If you also want to hide the version and create information in the connect panel, you can set itServidor.HideVersionattitude of beingTRUE.
browser security#
There are a variety of security settings that can be configured on PositConnect. Some of these settings are enabled by default but can be customized, while others are optional. Below are some of the security features worth considering.
sudo path from the web#
When a user performs a sensitive operation in a web browser (such as creating a new API key), they are prompted to re-enter their credentials. Once the user successfully enters the password, the session enters a privileged state, known internally as "sudo web mode", which allows these sensitive operations to be performed for a specified period of time without re-entering the password. Please note that this privileged mode is a purely internal Posit Connect term and has nothing to do with the actual server.sudothe PAM configuration.
Important
This feature is not available on servers configured to use single sign-on (SSO) via OAuth2, OpenID, SAML, or proxy authentication, as these providers do not have a mechanism to prompt the user to re-enter their password.
For all other authentication providers, theWebSudoModemiWebSudoModeDurationThe configuration options are available in the section related to this provider. YeahWebSudoModeis set toINCORRECT, then this protection is disabled; effectively, all authenticated users are always in privileged mode.WebSudoModeDurationcontrols how long a user remains in this privileged mode. In the section related to your authentication provider (such as[Password],[PAM], o[LDAP]), you can configure:
; /etc/rstudio-connect/rstudio-conectar.gcfg; This example uses password authentication. Use PAM or LDAP as appropriate.[Password]WebSudoMode = TRUEWebSudoModeDuration = 10mIn this case, users would be prompted for their password before performing sensitive actions, and then they would be able to perform additional sensitive actions for up to 10 minutes without being prompted. After that point, sensitive actions will require re-entering your password.
Regardless of the configuration, sudo web mode never affects calls made outside of a browser with an API token or key.
Session duration limit#
The default configuration of Posit Connect imposes the following limits on authenticated sessions:
- Sessions expire after 24 hours, regardless of activity.
- Inactive sessions are considered inactive and expire after 8 hours.
Once a session is deemed invalid, the user must re-authenticate before continuing to interact with Posit Connect.
These limits align with security best practices, ensuring that users enter their credentials on a daily basis.
The session duration and inactivity threshold are configurable values. Adjust the maximum session lifetime by changing theAuthentication. lifetimeAttitude. Session inactivity is controlled withAuthentication.InactivityAttitude.
Configure these session settings in accordance with your organization's security policies.
We use a 24 hour standard forAuthentication. lifetimebecause that means that access is revalidated with your authentication provider (for example, your Active Directory server) at least once a day. The default value of 8 hours forAuthentication.Inactivityattempts to prevent a user from having to re-authenticate more than once in a typical business day.
Our first example configuration has limits shorter than the configured defaults. Users must re-authenticate after being inactive for 30 minutes or after the session lasts 12 hours. The 30 minute idle limit means that sessions cannot be idle for "more than a lunch break".
; /etc/rstudio-connect/rstudio-conectar.gcfg[authentication]lifespan = 12hinactivity = 30mThis second configuration example has longer limits than our configured defaults. Users must re-authenticate once a week or after a day of inactivity. Be careful with this type of setup; Your organization might want users to reauthenticate more frequently.
; /etc/rstudio-connect/rstudio-conectar.gcfg[authentication]lifespan = 7dinactivity = 1 tonPosit Connect uses session cookies to track and enforce session duration and inactivity thresholds.
observation
If a user's session times out or is considered idle while an application is running in their browser, that application's process will be executed.Nofinished immediately. Subsequent attempts to interact with the app will result in it being closed and the user will be prompted to re-enter their credentials.
observation
Applications can potentially survive sessions when opened in solo mode if their timeout setting is greater thanAuthentication.InactivityoAuthentication. lifetime.ideasScheduler.ConnectionTimeoutmiProgramador.ReadTimeoutSet default values for how long a browser running an application can remain idle. By default, they are set to 1 hour, but individual applications can set higher values regardless of server settings.
Ensure HTTPS#
If you can guarantee that your server should only be accessed over a TLS/SSL (HTTPS) connection, consider enabling it.HTTPS.PermanenteAttitude. This increases the security of your server by requiring that future interactions between your users and that server be encrypted.
observation
Enabling this setting can prevent users from accessing your PositConnect instance if you later disable HTTPS or if your certificate expires. Use this setting only if you are permanently deploying a valid TLS/SSL certificate on this server.
Behind the scenes, this makes two changes:
Introduction of HTTP Strict Transport Security (HSTS)adding a
Strict transport securityHTTP header with amax-changefixed in 30 days. HSTS ensures that a service hosted there is not trusted by its users' browsers unless it is protected with a trusted TLS/SSL certificate.force the
safeConfigured cookies indicator. This prevents your users' browsers from sending their Posit Connect cookies to a server without a secure HTTPS connection.
Starkes HTTPS#
You can restrict the version of TLS used by HTTPS. This can help you comply with your organization's security policy.
OHTTPS.TLS minimumsettings specifies the minimum version of TLS. Clients using a lower version of TLS will be rejected. The default minimum version of TLS is TLS 1.0. You can set this setting to 1.0, 1.1, 1.2, or 1.3.
We recommend that you verify that the browsers and clients used in your organization support your minimum version of TLS. EITHERList of SSLLabs user agentslists TLS capabilities for the most popular browsers.
Here is an HTTPS configuration that allows TLS versions 1.2 and higher:
[HTTPS]Escuchar = 443Minimum TLS = 1.2observation
Some versions of WindowsRCcurlThe package does not support TLS 1.1 or TLS 1.2. Windows users should runOptions(rsconnect.http = 'curl')use the placeshirred rufflebinary if installed instead of deprecatedRCcurlPackage.
observation
Older versions of RStudio IDE may use non-TLS 1.1 or TLS 1.2 compliant web views. In that case, trying to pair PositConnect without TLS 1.0 would open a blank screen instead of a login window. Open the blue link in the pairing window in your browser or, as a workaround, install a newer version of Posit Connect.
We recommend using a secure proxy if you need finer control over HTTPS.
Use a secure proxy#
If you prefer that the Posit Connect process not have access to your TLS/SSL certificates, you can configure a proxy to handle HTTPS requests. To achieve this:
get yoursServer addressis configured and uses the proxy address
httpsthe plane.PhraseHTTP.ForceSecureFor
TRUE, which defines thesafeMark on all cookies.PhraseHTTP.KeineWarnungFor
TRUEto suppress the warning about running Posit Connect on an unsecured connection, since the connection between the client and the proxy is secure.If necessary, enableHTTPRedirect.EscucharOption to redirect simple HTTP proxy connections to HTTPS.
observation
Since the connection between the proxy and Posit Connect is not secure in this case, ensure that the proxy and Posit Connect are connected on a trusted network where an attacker cannot transparently harvest credentials. For example, many cloud providers allow servers to be isolated from the Internet and allow load balancers to access them. For more information, see your cloud provider's documentation.
sniffing content#
OServidor.ContentTypeSniffingThe configuration can be used to configure HTTP responses with theX content type optionsheaders. This header can protect your users from it.specific class of malicious payloads.
SeServidor.ContentTypeSniffingis disabled (default), theX content type optionsThe HTTP header takes the value offishmonger. This tells browsers not to examine the content to try to identify its type.
SeServidor.ContentTypeSniffingis activated, theX content type optionsThe HTTP header is not sent; Browsers are free to analyze the content to determine its type.
content embedding#
OX frame optionsThe HTTP header is used to control what content can be embedded in other content in a web browser. The relevant attack is commonly known as"Clickjack Attack"and involves its users interacting with a confidential service without their knowledge.
for the purpose ofX frame optionsHeader, Posit Connect differentiates between "panel" and "user" content. The dashboard is any of the built-in services or assets that come with Posit Connect. User content is anything uploaded by a user (reports, apps, APIs, etc.).
Servidor.FrameOptionsContentConfigure theX frame optionsHeader value for content submitted by the user. Default isNONE, which means that the header is undefined. This allows user-provided content to be embedded in iFrames from anywhere. If you do not intend for other users to embed content on your sites, you can set it to a value ofSAME ORIGINto ensure that only sites on the same server can embed their users' content. The Posit Connect dashboard itself uses IFrames to render user content on the dashboard, so setting this option toDENY.
Servidor.FrameOptionsDashboardConfigure theX frame optionsHeader value for internal services and assets deployed with Posit Connect and the default isDENY. This means that other websites cannot integrate the Posit Connect control panel. This setting is more secure as it protects against clickjacking attacks on the plugin panel, but if you plan to embed the panel elsewhere, you may need to adjust these settings.
observation
Some values advertised for this header arenot compatible with all browsers.Posit Connect does not restrict the values of these headers.
Same site cookies#
Posit Connect returns cookies with the attributeSameSite=NoneDefault. This allows content hosted by Posit Connect to display embedded iniframes without additional options. WithSameSite=None, each cookie issued by Posit Connect comes with a secondary cookie-Legacysuffix in its name and without theSame placeAttribute. This second cookie is required for additional compatibility with some browsers (eg Safari 12).
observation
If you do not intend to embed Connect-hosted content in an iframe and your organization requires more secure cookie settings, you can configure itServer.SameSiteoption withrelaxedValue as below:
[Server]Same place = "Loose"custom headers#
If you need to insert additional HTTP headers that are not covered by any of the above features, you can insert your own custom headers into all Posit Connect responses usingServidor.CustomHeaderAttitude.
This feature can be used to accommodate other security practices that are not explicitly available as options in other parts of Connect. For example, X-XSS protection,Content Security Policy (CSP),HTTP Public Key Protection (HPKP), miCross-Origin Resource Sharing (CORS)everything can be configured with custom headers.
observation
Custom headers are added to the HTTP response at the beginning of the request processing. The values can be overridden or changed later by other header configurations. This includes the security settings described earlier in this chapter, as well as other headers used internally by Posit Connect or by applications or API frameworks such as Flask, Plumber, or Shiny. You should not trust a custom header that conflicts with a header already used by Posit Connect.
OServidor.CustomHeadertakes a header name value and its value separated by a colon. Spaces around the header name and its value are trimmed. You can use this configuration multiple times, as in the following example:
; /etc/rstudio-connect/rstudio-conectar.gcfg[Server]custom header = "HeaderA: any value"custom header = "HeaderB: other value"Application environment variables#
User-specific environment variables for applications are encrypted on disk and in memory. They are only decrypted when a process is about to start.