Hi,
I have built an embedded app with a custom login page to allow specific users access using an external api and some javascript. Some users are experiencing malware warnings and I am not sure what is causing it at the moment.
Welcome to the community, @maxhatched! It's not uncommon for some security software to flag embedded apps with a domain that is different from the top level. We include a quick note about this in our docs and typically recommend that you define a custom domain for your Retool org. Let me know if you have any additional questions!
The aim is not to embed the app in other applications but to allow clients to access the retool app using a custom authentication layer within retool. The top level domain remains the same. This warning is triggered when opening the link through a Microsoft tool like teams.
Can you share the full URL that you're linking out to? It feels like this is probably just a symptom of an overly sensitive security setting in certain software, but I can try to to identify the offending page content.
Have you had a chance to revisit this, @maxhatched?
I am not comfortable sharing the link on the forum as it is only shared to the organisation’s clients even though there is an authentication layer. I could message you?
Yep! That works.
To anybody following this particular conversation - I don't have much to share but will summarize here.
Microsoft Defender seems to be flagging the link based purely on its appearance, not the actual content of the page. Depending on your workspace settings, it may be sufficient to set up a custom URL for your app instead of referencing its UUID.
It's also possible to configure specific safe links within your MS workspace. This is a more involved solution, to be sure, but would almost certainly prevent this behavior.