We were able to find our instance on Google by searching "[company name] reset password". We cannot have our application discoverable, whether the user has access privileges or not, on a search engine.
We have been getting random users trying to access our Retool instance. I have a hunch that these may be nefarious actors but some of these users are from our company but somehow found a way to request an account with our instance. I believe that this is related to point 1 but I'm not sure if they're using Google or some other engine to find a reset password link.
We want to button this up so that no one outside of our technical functions has access to our instance. Can someone please advise?
We're facing a similar issue. Our ReTool app (our admin dashboard) is showing up in public search results, and our customers are trying to reset password for our retool app, rather than our customer app.
Are we able to have an option to block the whole subdomain from google search with a robots.txt or similar?
We have an existing request to hide Cloud applications/organizations from search engine results. I've added your feedback and +1s to it. As of today, this is not possible on Retool Cloud, and it's one reason why some of our customers prefer to go with sef-hosted Retool.
You can deploy a self-hosted Retool instance within your virtual private cloud (VPC) or behind your virtual private network (VPN) to restrict access exclusively to users inside the network. This way, the browser would show a 404 error when someone outside the network tries to access it.
If we decide to take that route, here are our security handling best practices for self-hosted Retool:
We will update you here when there's an update on the existing request for Retool Cloud, and we'll leave this open to collect more +1s.
While we wait for this feature, we've seen organizations request to remove the URL through the Google Search Console. However, this is a temporary fix, as it's only possible to get it removed for 6 months at a time.