Shiny Server Pro Release History



  • Added floating license support through the new license_type configuration directive. The floating licensing model makes it easier for multiple instances of Shiny Server to share a license, such as in cloud environments.


  • Fix a rare crash that can occur when a logged out user has a second browser
    tab open with an app that's trying to reconnect.
  • Fix several bugs in license-manager


  • Upgrade to Node.js v6.10.3.
  • Upgrade to pandoc
  • Refactor scheduler code to make enforcement of connection limits more robust.
  • Utilization scheduler behavior is more intuitive, especially around connection limits and load factor.
  • Add `log_file_mode` directive; set this to 0644 to allow application log files to be globally readable.
  • When using `auth_pam`, login can be slow if the user is part of many groups and/or those groups have many users. This release does not speed up the login process, but it does prevent slow logins from tying up other requests, by performing the group retrieval on a worker thread.
  • Fix bug where LDAP returns no groups when username contains a backslash.


  • Fix bug where using `frame_options` directive would cause a crash.
  • Upgrade to Node.js v6.10.0


  • Fix bug where network connectivity issues with LDAP servers could cause a crash. Also, eagerly close connection between LDAP client and server when no longer needed.


  • Improve robustness with unfriendly proxy configurations. This had regressed some time between 1.4.3 and 1.4.7.


  • Upgrade to Node.js v6.9.1, and upgrade all npm dependencies. While no distinct features or significant bug fixes result from this upgrade, catching up to the current Node.js release is critical for the long-term health of our codebase.
  • SSL/TLS connections now support forward secrecy.
  • Fix bug where R processes would not be cleaned up if an HTTP request was prematurely closed.
  • Fix bug introduced in 1.4.7 where user could be logged out spontaneously, especially in interactive Rmd documents that contain many embedded sub-apps.
  • Fix bug where low-level network errors communicating with LDAP servers could cause a crash.


  • Add auto-reconnect capabilities. Can be disabled via `reconnect false;` config option (replaces `disable_reconnect true;`).
  • Upgrade to Node.js v0.10.47 (security patches).
  • Fix bug where running the admin dashboard behind a reverse proxy would cause problems with "Kill Process" and "Kill Connection" buttons, requiring ugly proxy rules to workaround. These should no longer be required.
  • The bookmarkable state feature in Shiny v0.14 is now officially supported. Use the `bookmark_state_dir` directive to store bookmarked sessions in a specific location (default is /var/lib/shiny-server/bookmarks).


Bug fix release.

  • Fix a bug where a 404 response on some URLs could cause the server to exit with an unhandled exception.


Security release to fix minor issues raised in penetration test results.

  • Add `disable_login_autocomplete` directive that can be used to instruct browsers not to attempt to autocomplete on the login screen. Note that servers can only suggest this behavior to browsers (and in particular, Google Chrome chooses not to comply, as its developers argue that disabling autocomplete decreases security rather than increasing it).
  • Add opt-in clickjacking protection via `frame_options` directive. Login and /admin URLs now served with `X-Frame-Options: DENY` (the former can be opted out with an `auth_frame_options allow;` directive).
  • Fix open redirection on __login__. Previously, a URL created with malicious intent could cause you to go to an arbitrary URL after successful login. Now, it is only possible to be redirected to a path on Shiny Server.
  • Add Cross-Site Request Forgery (CSRF) protection to login and other POST operations.


  • Fix fatal EBADF error that could cause server crashes.
  • Updated PAM integration to resolve bug with asynchronous PAM modules like pam_ldap, pam_vas, and nss_ldap.
  • Upgrade to Node.js v0.10.46 (security patches).


  • Added proxied authentication mechanism via the `auth_proxy` option.
  • Upgrade to Node.js v0.10.45 (primarily for updated OpenSSL).


  • Bug fix: Updates to license manager to increase stability
  • Update the list of preferred SSL ciphers to be in line with current best practices.
  • Add `set_header` option to allow the setting of an arbitrary HTTP header.
  • Add `metrics_user` config to allow control over which user spawns the metrics process.
  • Improve disconnected UI by adding modal with description.
  • Capture killing of sessions and workers from admin dashboard in server log.
  • Bug fix: URL query arguments are preserved through the login attempts.
  • Added experimental support for reconnecting disconnected sessions. Set `disable_reconnect false;` to enable the feature.


  • Update to NodeJS v0.10.40 for security fixes
  • Add preserve_logs option to retain logs for R processes that didn't error.
  • Bug fix: No more instability when reloading after removing the auth strategy.


  • Added support for RHEL/CentOS 7 and Ubuntu 15.04.
  • Added disabled_protocols to allow administrators to disable arbitrary SockJS protocols.
  • Include supplemental groups when switching users.
  • Support multiple CA certificates for LDAP over SSL.
  • Log successful login attemps (at the DEBUG level) and unsuccessful login attempts (at the INFO level).
  • Capture Upstart failures to start Shiny Server successfully.
  • Bug fix: Load fonts over HTTPS.
  • Bug fix: Fix installer locale issue for Ubuntu 14.04.
  • Bug fix: RH6 uses a statically linked Pandoc.
  • Support appidletimeout of 0.


  • Added support for SUSE Linux Enterprise Server 11.


  • Bug fix: Ensured proper LDAP filter query escaping for special characters.


  • Added support for single-file app.R deployment released in Shiny 0.10.2.
  • Logging performance improvements.
  • Bug fix: Check for undefined target in link handler, will resolve the browser error: "Uncaught TypeError: Cannot read property 'replace' of undefined."
  • Bug fix: Properly target all HTTP traffic to the original worker in IE8 and 9.


  • Added experimental support for Interactive Documents (Shiny + Rmd) via the rmarkdown package.
  • Leverage sitedir when hosting in userdirs mode; userdirs will now respect the directoryindex setting and host static assets other than Shiny applications.
  • Provide a more sane handling of LANG by ensuring it's passed through in all spawning modes and set an environment variable in the startup script on Ubuntu.
  • Bug fix: Restored functionality of sspasswd's -v switch.


  • Added Google Authentication (OAuth2) as a new authentication strategy.
  • Added support for custom page templates -- exposing the ability to customize the static pages generated by Shiny Server for directory listings or errors.
  • Support PAM for auth (auth-pam) and session creation (pam-sessions-profile).
  • Leverage bash when spawning Shiny processes on behalf of other users, as in 'user_apps' mode.
  • Support custom locations for the R executable in the configuration file.
  • Added the '' and '*' special-cases to the 'required_user' setting.
  • Added the 'exec_supervisor' setting to allow administrators to prefix the R process with a command, such as 'nice'.
  • Bug fix: Restored compatibility with IE8 Standards Mode
  • Added a health check endpoint at /health-check (two underscores on either side) which makes various statistics about the server available.
  • DEPRECATED: No longer offering a health-check endpoint '/ping'.
  • Created 'userdirs' mode and the special ':HOMEUSER:' runas user to replace 'userapps'.
  • Leverage bash when spawning Shiny processes on behalf of other users, as in 'user_dirs' mode.
  • Bug fix: Make compatible with loading content from Shiny Server in an iframe with third-party cookies blocked.
  • Bug fix: Restored compatibility with IE8 Standards Mode


  • Added various quick-start configurations as described at:
  • Added ability to disable metrics using --no-metrics.


  • Drop root privileges and run as another user when appropriate.
  • Don't uninstall Upstart script when upgrading rpm package.
  • Refactor admin: Added username, protocol, SSL icon, and IP address to connections table.


  • BREAKING CHANGE: Deprecated application setting in favor of nested `location blocks.
  • Allow client to configure which network techniques should be used to connect to the server using the keyboard shortcut 'ctrl+shift+A'.
  • Properly set working directory of spawned Shiny Processes to the associated application's directory to honor local .Renviron and family.
  • Provide a logrotate configuration for /var/log/shiny-server.log where logrotate is available.
  • Various memory leak and stability improvements.


  • Added LDAP and AD Auth schemes
  • Support SSL on Admin
  • Patch Admin on Safari
  • Ability to proxy headers


  • Use UNIX domain sockets for data transfer instead of TCP/IP for enhanced security.
  • Added scheduler and traffic direction which require shiny >= to be compatible.


  • Support for node-webkit-agent ( Use by setting DEBUG_PORT environment variable to a port number, then follow the instructions on the node-webkit-agent GitHub page under "Connecting to the agent". (At the time of this writing, node-webkit-agent only supports Node v0.8.x, not v0.10.x.)
  • Fix slow memory leak when checking for restart.txt that doesn't exist.


  • Fix crash on Node 0.10.x when serving static files.
  • Fix slow memory leak and log file descriptor leak.


  • You can now force an app to restart by calling "touch restart.txt" in the app directory root. Existing sessions will not be terminated, but the next session to be initiated will cause a new R process to be launched.
  • shiny-server now passes its version number to R processes it launches.


  • Remove pausing which is causing corruption in proxied HTTP request bodies.


  • Make shiny-server compatible with httpuv package which we are introducing to Shiny.


  • Fix crashing bug when "req" object has no address.


  • Initial release.