I am using a component (e.g. component1) which uses a variable's (e.g. var1) value (e.g. true/false) in its Hidden value field. This is to show or hide the component.
Just wanted to check if its possible to access this variable (var1) through chrome dev tools/debugger tools etc (or any other browser tools) on client side and change its content (true/false).
Have read on few forums that a running script's variable can be accessed and changed, by using some tools etc. in the browser. Just wanted to make this sure regarding retool apps, that there's way/(no way) to do such things.
Hi @rkr Thanks for reaching out! Hmm, we may need more information about your specific use case, but in general, if the component is populated from a JS query, it would be very tricky, but may be possible that a user could modify the JS query to change the value. If the component is populated by a non-JS resource, that is a bit more secure in that the user wouldn't be able to modify the query
If there is a concern of internal users making these sorts of changes, or if this is a public app, it might be more secure to split into two different apps.
Hi,
Really sorry for not mentioning the use case. Just want to find out the minimum use case scenario which is completely secure, both in private and public apps.
As JS queries are not very secure, should all the values be hardcoded or JS expressions can be used?
Since Javascript is run in the front end, there is the possibility that it could be tampered with by a malicious user. To clarify, it's not necessarily a Retool limitation, but since Retool is run in the browser, this exposes some risk of malicious users accessing JS in your app.
As far as hardcoded values, it's hard to say, since you lose a good amount of functionality from not having dynamic values.
In general, public apps allow for unauthenticated, open access to the embedded app. If you need to give users access to confidential information or dangerous functionality, we recommend that you don't use a public app and instead require users to log in to Retool