Retool - how it works and security

Are there any resources or community posts that explain how retool works and what code / queries are exposed to users? I'm trying to get a handle on what security consideration I should take into account when building an app.

For example can an app user modify a sql query to change the input parameters or raw query?
Can a user of a public app modify the javascript queries to change the behaviour and read and variables (I assume this is the case from reading about debugging retool in the browser)?

In essence I'm looking for a high level understanding of what runs backend or in the browser and

Any pointers much appreciated

I've found a bit more in the user permission docs in the Preventing query spoofing section

1 Like

And for reference more info on where queries are run in this post.

1 Like

Hi @DavidS Thanks for sharing the links you found!

For security purposes, I'd also recommend ensuring that you are using prepared statements (also linked in the Preventing query spoofing doc). This is on by default, and only admins can turn off prepared statements from the resource page.

More generally for public apps, publicly shared apps allow for unauthenticated, open access to the embedded app. If you need to give users access to confidential information or dangerous functionality, they would have to login with a Retool account.