Sessions are saved on the server in Posit Connect. Encrypted session cookies, which are only stored on the client, are deprecated because they offer less security.
When logging into Posit Connect, a browser cookie is used to keep the user logged inSession duration limitSection for details on the default session length and how to change it.
The server regularly checks the data store for expired cookies and deletes them. This happens once an hour by default, but can be set viaAuthentication.CookieSweepDurationconfiguration setting. This does not affect the duration of web sessions controlled by theAuthentication. lifetimeconfiguration setting.
Avoid brute force and dictionary attacks#
By default, Posit Connect allows as many login attempts as possible from any source when using LDAP, PAM, and password authentication providers. Users can login directly by entering their username and password.
defining theAuthentication.ChallengeResponseEnabledflag too
TRUEtriggers a CAPTCHA form on the login screen and requires the CAPTCHA to be solved in order to authenticate. Audio and visual CAPTCHA challenges are provided for accessibility requirements.
Hide Posit Connect server version and build information#
By default, Posit Connect sets the
serverHTTP header to connect version with commit compensation, which looks like this
Definir Connect v1.2.3-1234. If you want to hide this information, you can configure thisServidor.Nomedoservidorbe arbitrary. If you also want to hide the version and create information in the connect panel, you can set itServidor.HideVersionattitude of being
There are a variety of security settings that can be configured on PositConnect. Some of these settings are enabled by default but can be customized, while others are optional. Below are some of the security features worth considering.
sudo path from the web#
When a user performs a sensitive operation in a web browser (such as creating a new API key), they are prompted to re-enter their credentials. Once the user successfully enters the password, the session enters a privileged state, known internally as "sudo web mode", which allows these sensitive operations to be performed for a specified period of time without re-entering the password. Please note that this privileged mode is a purely internal Posit Connect term and has nothing to do with the actual server.
sudothe PAM configuration.
This feature is not available on servers configured to use single sign-on (SSO) via OAuth2, OpenID, SAML, or proxy authentication, as these providers do not have a mechanism to prompt the user to re-enter their password.
For all other authentication providers, the
WebSudoModeDurationThe configuration options are available in the section related to this provider. Yeah
WebSudoModeis set to
INCORRECT, then this protection is disabled; effectively, all authenticated users are always in privileged mode.
WebSudoModeDurationcontrols how long a user remains in this privileged mode. In the section related to your authentication provider (such as
[LDAP]), you can configure:
; /etc/rstudio-connect/rstudio-conectar.gcfg; This example uses password authentication. Use PAM or LDAP as appropriate.[Password]WebSudoMode = TRUEWebSudoModeDuration = 10m
In this case, users would be prompted for their password before performing sensitive actions, and then they would be able to perform additional sensitive actions for up to 10 minutes without being prompted. After that point, sensitive actions will require re-entering your password.
Regardless of the configuration, sudo web mode never affects calls made outside of a browser with an API token or key.
Session duration limit#
The default configuration of Posit Connect imposes the following limits on authenticated sessions:
- Sessions expire after 24 hours, regardless of activity.
- Inactive sessions are considered inactive and expire after 8 hours.
Once a session is deemed invalid, the user must re-authenticate before continuing to interact with Posit Connect.
These limits align with security best practices, ensuring that users enter their credentials on a daily basis.
The session duration and inactivity threshold are configurable values. Adjust the maximum session lifetime by changing theAuthentication. lifetimeAttitude. Session inactivity is controlled withAuthentication.InactivityAttitude.
Configure these session settings in accordance with your organization's security policies.
We use a 24 hour standard for
Authentication. lifetimebecause that means that access is revalidated with your authentication provider (for example, your Active Directory server) at least once a day. The default value of 8 hours for
Authentication.Inactivityattempts to prevent a user from having to re-authenticate more than once in a typical business day.
Our first example configuration has limits shorter than the configured defaults. Users must re-authenticate after being inactive for 30 minutes or after the session lasts 12 hours. The 30 minute idle limit means that sessions cannot be idle for "more than a lunch break".
; /etc/rstudio-connect/rstudio-conectar.gcfg[authentication]lifespan = 12hinactivity = 30m
This second configuration example has longer limits than our configured defaults. Users must re-authenticate once a week or after a day of inactivity. Be careful with this type of setup; Your organization might want users to reauthenticate more frequently.
; /etc/rstudio-connect/rstudio-conectar.gcfg[authentication]lifespan = 7dinactivity = 1 ton
Posit Connect uses session cookies to track and enforce session duration and inactivity thresholds.
If a user's session times out or is considered idle while an application is running in their browser, that application's process will be executed.Nofinished immediately. Subsequent attempts to interact with the app will result in it being closed and the user will be prompted to re-enter their credentials.
Applications can potentially survive sessions when opened in solo mode if their timeout setting is greater thanAuthentication.InactivityoAuthentication. lifetime.ideasScheduler.ConnectionTimeoutmiProgramador.ReadTimeoutSet default values for how long a browser running an application can remain idle. By default, they are set to 1 hour, but individual applications can set higher values regardless of server settings.
If you can guarantee that your server should only be accessed over a TLS/SSL (HTTPS) connection, consider enabling it.HTTPS.PermanenteAttitude. This increases the security of your server by requiring that future interactions between your users and that server be encrypted.
Enabling this setting can prevent users from accessing your PositConnect instance if you later disable HTTPS or if your certificate expires. Use this setting only if you are permanently deploying a valid TLS/SSL certificate on this server.
Behind the scenes, this makes two changes:
Introduction of HTTP Strict Transport Security (HSTS)adding a
Strict transport securityHTTP header with a
max-changefixed in 30 days. HSTS ensures that a service hosted there is not trusted by its users' browsers unless it is protected with a trusted TLS/SSL certificate.
safeConfigured cookies indicator. This prevents your users' browsers from sending their Posit Connect cookies to a server without a secure HTTPS connection.
You can restrict the version of TLS used by HTTPS. This can help you comply with your organization's security policy.
OHTTPS.TLS minimumsettings specifies the minimum version of TLS. Clients using a lower version of TLS will be rejected. The default minimum version of TLS is TLS 1.0. You can set this setting to 1.0, 1.1, 1.2, or 1.3.
We recommend that you verify that the browsers and clients used in your organization support your minimum version of TLS. EITHERList of SSLLabs user agentslists TLS capabilities for the most popular browsers.
Here is an HTTPS configuration that allows TLS versions 1.2 and higher:
[HTTPS]Escuchar = 443Minimum TLS = 1.2
Some versions of Windows
RCcurlThe package does not support TLS 1.1 or TLS 1.2. Windows users should run
Options(rsconnect.http = 'curl')use the place
shirred rufflebinary if installed instead of deprecated
Older versions of RStudio IDE may use non-TLS 1.1 or TLS 1.2 compliant web views. In that case, trying to pair PositConnect without TLS 1.0 would open a blank screen instead of a login window. Open the blue link in the pairing window in your browser or, as a workaround, install a newer version of Posit Connect.
We recommend using a secure proxy if you need finer control over HTTPS.
Use a secure proxy#
If you prefer that the Posit Connect process not have access to your TLS/SSL certificates, you can configure a proxy to handle HTTPS requests. To achieve this:
get yoursServer addressis configured and uses the proxy address
TRUE, which defines the
safeMark on all cookies.
TRUEto suppress the warning about running Posit Connect on an unsecured connection, since the connection between the client and the proxy is secure.
If necessary, enableHTTPRedirect.EscucharOption to redirect simple HTTP proxy connections to HTTPS.
Since the connection between the proxy and Posit Connect is not secure in this case, ensure that the proxy and Posit Connect are connected on a trusted network where an attacker cannot transparently harvest credentials. For example, many cloud providers allow servers to be isolated from the Internet and allow load balancers to access them. For more information, see your cloud provider's documentation.
OServidor.ContentTypeSniffingThe configuration can be used to configure HTTP responses with the
X content type optionsheaders. This header can protect your users from it.specific class of malicious payloads.
SeServidor.ContentTypeSniffingis disabled (default), the
X content type optionsThe HTTP header takes the value of
fishmonger. This tells browsers not to examine the content to try to identify its type.
SeServidor.ContentTypeSniffingis activated, the
X content type optionsThe HTTP header is not sent; Browsers are free to analyze the content to determine its type.
X frame optionsThe HTTP header is used to control what content can be embedded in other content in a web browser. The relevant attack is commonly known as"Clickjack Attack"and involves its users interacting with a confidential service without their knowledge.
for the purpose of
X frame optionsHeader, Posit Connect differentiates between "panel" and "user" content. The dashboard is any of the built-in services or assets that come with Posit Connect. User content is anything uploaded by a user (reports, apps, APIs, etc.).
X frame optionsHeader value for content submitted by the user. Default is
NONE, which means that the header is undefined. This allows user-provided content to be embedded in iFrames from anywhere. If you do not intend for other users to embed content on your sites, you can set it to a value of
SAME ORIGINto ensure that only sites on the same server can embed their users' content. The Posit Connect dashboard itself uses IFrames to render user content on the dashboard, so setting this option to
X frame optionsHeader value for internal services and assets deployed with Posit Connect and the default is
DENY. This means that other websites cannot integrate the Posit Connect control panel. This setting is more secure as it protects against clickjacking attacks on the plugin panel, but if you plan to embed the panel elsewhere, you may need to adjust these settings.
Some values advertised for this header arenot compatible with all browsers.Posit Connect does not restrict the values of these headers.
Same site cookies#
Posit Connect returns cookies with the attribute
SameSite=NoneDefault. This allows content hosted by Posit Connect to display embedded iniframes without additional options. With
SameSite=None, each cookie issued by Posit Connect comes with a secondary cookie
-Legacysuffix in its name and without the
Same placeAttribute. This second cookie is required for additional compatibility with some browsers (eg Safari 12).
If you do not intend to embed Connect-hosted content in an iframe and your organization requires more secure cookie settings, you can configure itServer.SameSiteoption with
relaxedValue as below:
[Server]Same place = "Loose"
If you need to insert additional HTTP headers that are not covered by any of the above features, you can insert your own custom headers into all Posit Connect responses usingServidor.CustomHeaderAttitude.
This feature can be used to accommodate other security practices that are not explicitly available as options in other parts of Connect. For example, X-XSS protection,Content Security Policy (CSP),HTTP Public Key Protection (HPKP), miCross-Origin Resource Sharing (CORS)everything can be configured with custom headers.
Custom headers are added to the HTTP response at the beginning of the request processing. The values can be overridden or changed later by other header configurations. This includes the security settings described earlier in this chapter, as well as other headers used internally by Posit Connect or by applications or API frameworks such as Flask, Plumber, or Shiny. You should not trust a custom header that conflicts with a header already used by Posit Connect.
Servidor.CustomHeadertakes a header name value and its value separated by a colon. Spaces around the header name and its value are trimmed. You can use this configuration multiple times, as in the following example:
; /etc/rstudio-connect/rstudio-conectar.gcfg[Server]custom header = "HeaderA: any value"custom header = "HeaderB: other value"
Application environment variables#
User-specific environment variables for applications are encrypted on disk and in memory. They are only decrypted when a process is about to start.