Chapter 22. Security

Most Shiny apps are deployed within a company firewall, and since you can generally assume that your colleagues aren’t going to try and hack your app,¹ you don’t need to think about security. If, however, your app contains data that only some of your colleagues should be able to access, or you want to expose your app to the public, you will need to spend some time on security. When securing your app, there are two main things to protect:

• Your data: you want to make sure an attacker can’t access any sensitive data.

• Your compute resources: you want to make sure an attacker can’t mine bitcoin or use your server as part of a spam farm.

Fortunately your job is made a little easier because security is a team sport. Whoever deploys your app is responsible for security between apps, ensuring that app A can’t access the code or data in app B, and can’t steal all the memory and compute power on the server. Your responsibility is the security within your app, making sure that an attacker can’t abuse your app to achieve their ends. This chapter will give the basics of securing your Shiny, broken down into securing your data and securing your compute resources.

If you’re interested in learning a little more about security and R in general, I highly recommend “R and Security”, Colin Gillespie’s entertaining and educational useR! 2019 talk. Let’s begin by loading shiny:

library(shiny)