Shiny 4: Protect your shiny app with a password 11

In this post, we explain how you can password protect apps hosted on Shiny Open Source server.This tutorial is the fourth and final in our Shiny AWS series. It builds on the previous tutorials, namely:

  1. Setting up an AWS instance for R
  2. Installing Shiny Server on AWS
  3. Shiny https
  4. Shiny password protection (this one)

As with the other tutorials in the series, this builds on Amazon AWS. But it is easy to adopt it to other cloud services or a local machine. Specifically, in this last part, there is nothing that is AWS-specific.

How can I password-protect my Shiny Open Source server?

You have various options, and here we only cover the simplest one. The ones that come to my mind from the top of my head are:

  1. License Shiny Professional: this is indeed a very valid option if you are using Shiny for a company, or even for academics. Remember that RStudio, the company behind Shiny, offers academic pricing.
  2. Use Apache web server as a gate-keeper, and use Apache’s basic authentication to manage users: This is what we will do in this post. The advantage is that it will take you roughly 5 minutes to do so. However, this simplicity comes at the price of lacking flexibility and usability. For example, users won’t be able to register themselves.
  3. Again, use Apache web server as a gate-keeper, but use any other authentication method. See for example this blog post explaining how to use authO. That’s kind of cool, as you inherit the user-management process from a third-party service.
  4. You could, of course, also use any other web-server to do this. A natural fit would be Node.js.
  5. You could also write a simple web application that handles the authentication part. Depending on your language, you could host it on Apache, Tomcat, Node.js, IIS. For example, you could write a simple php application. Or, you could even write such an application in … R/Shiny.
  6. You could host your application inside a CMS. For example, you could host a WordPress site, where each shiny application is hosted in an iframe of a wordpress page. For example, the ahp application on this very page is integrated into WordPress. Imagine I restricted access to that app to a specific wordpress user group … done!

Password Protection with Apache Basic Authentication

Step 1: Tell Apache to use basic authentication

If you have followed the previous tutorials, protecting you Apache web server is easy. All you need to do is to turn on basic authentication in your apache config file. In nano (or any other text editor), add the following to your apache config file. For instance:


This tells Apache that we require users to be authenticated, and that user/password pairs are stored in a file in /etc/httpd/htpasswd.users .

Specifically, the <Location /> tells apache that all content is protected like this.

Step 2: Install htpasswd

In order to be able to add users and hashed passwords to the password file, you need to install htpasswd, a utility provided by apache.

Step 3: Add users to your password file

However, you cannot add users directly to the file. Instead, you use the htpasswd utility to do that. For example, to create a new user file and add the username “jack” with the password “daniels” to the file /etc/httpd/htpasswd.users:

The first command will create a folder httpd, where we’ll put the password file. The second command creates a new file, and adds users jack with password daniels.

The -c argument tells htpasswd to create new users file. Other users can be added to the existing file in the same way, except that the -c argument is not needed. The same command can also be used to modify the password of an existing user.

Our password file now looks like this:

Note that the password is hashed and not human-readable anymore.

Step 4: Restart apache and test

Restart your apache server like so:

If all goes well, you’re all set to test your new configuration. Log on to your Shiny server by typing  in your browser (replace the IP with your own, of course). If you do this, you should see a logon pop up:

logon screen

The password box might look different, depending on your browser.

And that’s it! Again, this is a very basic form of password-protecting your shiny apps. User-created accounts, log-out, changing passwords, etc. are not possible out of the box. However, if you don’t have many users, and usability and aesthetics are not your main concern, this might do the trick. And there’s lots of room for improvements. For instance, a natural extension would be to use different password files per shiny app. This is possible, of course, using different Location tags.

I hope you liked this tutorial!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

11 thoughts on “Shiny 4: Protect your shiny app with a password

  • keberwein

    Nicely done. I believe you’d also need to edit shiny-server.conf to only listen to 3838 on localhost… Otherwise users could specify and bypass the login screen.

    • gluc Post author

      You can provide the protected URL after the Location tag. You can also add multiple location sections to your file. See here for details.

      • Christopher Tull

        First off, brilliant series of posts! Thank you so much for doing this.

        Second, the link you reference specifically says

        ” sections operate completely outside the filesystem. This has several consequences. Most importantly, directives should not be used to control access to filesystem locations. Since several different URLs may map to the same filesystem location, such access controls may by circumvented.”

        What should I make of this? I have little server experience, but I am trying to figure out the best way to serve the same shiny app to multiple users, where each user accesses different data.

        • gluc Post author

          In apache (as in most web servers), there are two different dimensions: file system and URL. To protect certain folders on your file-system from access, you use the Directory directive. To protect certain URLs, you need the Location directive. The Shiny server serves requests dynamically, so you’ll need the Location directive for that.

  • Soleil

    Hi Gluc. Very very interesting post! I’d like to ask you one advice. I am a therapist and I am developing a professional website on WordPress. I would like my customers to be able to register through WordPress to have secure access to their personal area. I am thinking about integrating a Shiny application so that each customer could be able to record regularly some personal information and visualize some temporal trends in their health evolution. I wonder if you have any idea to make the link between WordPress and Shiny so that each customer access its personal data in Shiny once he is logged in via WordPress. Thanks in advance !

  • Paul Lintilhac

    I followed this tutorial exactly but when I try to hit the url, after entering in the username and password, it loads partially before turning grey and then giving the error VM596:35 WebSocket connection to 'wss://' failed: Error during WebSocket handshake: Unexpected response code: 400. It appears that there needs to be some additional configuration in order to get the websocket to work. I have opened an ticket and will let you know if I solve it.

    • gluc Post author

      If this is in relation with RStudio, then this additional apache config might help:

      ProxyPass /p/7000/websocket/ ws://
      ProxyPassReverse /p/7000/websocket/ ws://

      And make sure you start your app using that port, e.g.

      runApp(‘inst/gui/shiny’, port = 7000)

  • Usman Suleman

    Thanks for your article … it helped me understand the mechanics of user authentication and password protection.
    A question: Do you know of a way to pass the userid of the signed-on user to the shiny app?