R Shiny and use of port 3838: a security vulnerability?

Daniella · March 25, 2019, 8:43pm

Hi guys

I've been working with Shiny for a few months now and it has completely revolutionized my job - it is amazing! However, just before launching a new shiny app, one in our IT staff said that Shiny might not be secure enough to use with sensitive data. We've established a Shiny server on Redhat, using port 3838 and according to the IT guy, this may pose a security threat, implying that someone may be able to get hold of the raw data, which would be a catastrophe for us. Our Shiny app should not require log in, it's supposed to be publicly available.

Questions:

Is port 3838 a security vulnerability?
Are there any means to eliminate the vulnerability? Best practices?
Alternatives that are safe and secure?

I have googled and stack-overflowed, still no satisfying answer. So, very grateful for any conclusive advice.

iain · March 26, 2019, 12:57pm

Hi,

I have never heard this concern before. Shiny is used in a lot of companies across a lot of different industries.

If your data is sensitive, it might be worth exploring the RStudio Connect platform that can handle authentication and other IT requirements or the ShinyProxy (https://www.shinyproxy.io/)

Cheers,

Iain

haozhu233 · March 26, 2019, 2:48pm

You can change this port number by editing the config file
https://docs.rstudio.com/shiny-server/#default-configuration

You can also setup an nginx proxy server on the same server where your shiny server exists so shiny server is running behind nginx.

https://docs.rstudio.com/connect/admin/running-a-proxy.html#nginx-configuration

cole · March 26, 2019, 5:05pm

Yeah, I have definitely never heard of port 3838 being "a security vulnerability." As was mentioned above, that is just the default, which can be changed. When you say "used with sensitive data," I immediately start to think about authentication / etc., which I know you mentioned is not a concern. It would probably benefit you (and the discussion here) to dig a bit more into understanding your IT team's concerns. Rest assured that many people and organizations are using Shiny with sensitive data.

The only "port vulnerabilities" are usually the "privileged ports" from 1-1023. The things that an IT team is normally more concerned with is the use of HTTPS, scaling, access controls, cross-origin requests, etc. All of those things can be managed yourself in Shiny / Shiny Server / nginx, or configured in professional/paid software like RStudio Connect.

system · April 16, 2019, 5:06pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.