Shiny 4: Protect your shiny app with a password

In this post, we explain how you can password protect apps hosted on Shiny Open Source server.

This tutorial is the fourth in our Shiny AWS series. It builds on the previous tutorials, namely:

  1. Setting up an AWS instance for R
  2. Installing Shiny Server on AWS
  3. Shiny https

As with the other tutorials in the series, this builds on Amazon AWS. But it is easy to adopt it to other cloud services or a local machine. Specifically, in this last part, there is nothing that is AWS-specific.

How can I password-protect my Shiny Open Source server?

You have various options, and here we only cover the simplest one. The ones that come to my mind from the top of my head are:

  1. License Shiny Professional: this is indeed a very valid option if you are using Shiny for a company, or even for academics. Remember that RStudio, the company behind Shiny, offers academic pricing.
  2. Use Apache web server as a gate-keeper, and use Apache’s basic authentication to manage users: This is what we will do in this post. The advantage is that it will take you roughly 5 minutes to do so. However, this simplicity comes at the price of lacking flexibility and usability. For example, users won’t be able to register themselves.
  3. Again, use Apache web server as a gate-keeper, but use any other authentication method. See for example this blog post explaining how to use authO. That’s kind of cool, as you inherit the user-management process from a third-party service.
  4. You could, of course, also use any other web-server to do this. A natural fit would be Node.js.
  5. You could also write a simple web application that handles the authentication part. Depending on your language, you could host it on Apache, Tomcat, Node.js, IIS. For example, you could write a simple php application. Or, you could even write such an application in … R/Shiny.
  6. You could host your application inside a CMS. For example, you could host a WordPress site, where each shiny application is hosted in an iframe of a wordpress page. For example, the ahp application on this very page is integrated into WordPress. Imagine I restricted access to that app to a specific wordpress user group … done!

Password Protection with Apache Basic Authentication

Step 1: Tell Apache to use basic authentication

If you have followed the previous tutorials, protecting you Apache web server is easy. All you need to do is to turn on basic authentication in your apache config file. In nano (or any other text editor), add the following to your apache config file. For instance:


This tells Apache that we require users to be authenticated, and that user/password pairs are stored in a file in /etc/httpd/htpasswd.users .

Specifically, the <Location /> tells apache that all content is protected like this.

Step 2: Install htpasswd

In order to be able to add users and hashed passwords to the password file, you need to install htpasswd, a utility provided by apache.

Step 3: Add users to your password file

However, you cannot add users directly to the file. Instead, you use the htpasswd utility to do that. For example, to create a new user file and add the username “jack” with the password “daniels” to the file /etc/httpd/htpasswd.users:

The first command will create a folder httpd, where we’ll put the password file. The second command creates a new file, and adds users jack with password daniels.

The -c argument tells htpasswd to create new users file. Other users can be added to the existing file in the same way, except that the -c argument is not needed. The same command can also be used to modify the password of an existing user.

Our password file now looks like this:

Note that the password is hashed and not human-readable anymore.

Step 4: Restart apache and test

Restart your apache server like so:

If all goes well, you’re all set to test your new configuration. Log on to your Shiny server by typing  in your browser (replace the IP with your own, of course). If you do this, you should see a logon pop up:

logon screen

The password box might look different, depending on your browser.

And that’s it! Again, this is a very basic form of password-protecting your shiny apps. User-created accounts, log-out, changing passwords, etc. are not possible out of the box. However, if you don’t have many users, and usability and aesthetics are not your main concern, this might do the trick. And there’s lots of room for improvements. For instance, a natural extension would be to use different password files per shiny app. This is possible, of course, using different Location tags.

I hope you liked this tutorial!

10 thoughts on “Shiny 4: Protect your shiny app with a password”

Leave a Reply