R Shiny and use of port 3838: a security vulnerability?

shiny
#1

Hi guys

I've been working with Shiny for a few months now and it has completely revolutionized my job - it is amazing! However, just before launching a new shiny app, one in our IT staff said that Shiny might not be secure enough to use with sensitive data. We've established a Shiny server on Redhat, using port 3838 and according to the IT guy, this may pose a security threat, implying that someone may be able to get hold of the raw data, which would be a catastrophe for us. Our Shiny app should not require log in, it's supposed to be publicly available.

Questions:

  • Is port 3838 a security vulnerability?
  • Are there any means to eliminate the vulnerability? Best practices?
  • Alternatives that are safe and secure?

I have googled and stack-overflowed, still no satisfying answer. So, very grateful for any conclusive advice.

#2

Hi,

I have never heard this concern before. Shiny is used in a lot of companies across a lot of different industries.

If your data is sensitive, it might be worth exploring the RStudio Connect platform that can handle authentication and other IT requirements or the ShinyProxy (https://www.shinyproxy.io/)

Cheers,

Iain

#3

You can change this port number by editing the config file
https://docs.rstudio.com/shiny-server/#default-configuration

You can also setup an nginx proxy server on the same server where your shiny server exists so shiny server is running behind nginx.

https://docs.rstudio.com/connect/admin/running-a-proxy.html#nginx-configuration

3 Likes
#4

Yeah, I have definitely never heard of port 3838 being "a security vulnerability." As was mentioned above, that is just the default, which can be changed. When you say "used with sensitive data," I immediately start to think about authentication / etc., which I know you mentioned is not a concern. It would probably benefit you (and the discussion here) to dig a bit more into understanding your IT team's concerns. Rest assured that many people and organizations are using Shiny with sensitive data.

The only "port vulnerabilities" are usually the "privileged ports" from 1-1023. The things that an IT team is normally more concerned with is the use of HTTPS, scaling, access controls, cross-origin requests, etc. All of those things can be managed yourself in Shiny / Shiny Server / nginx, or configured in professional/paid software like RStudio Connect.

1 Like
#5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.