Security Consideration: Server Side Rendering vs Client Side Rendering

Dear retool Team,

I wanted to ask you the following question:

Which of the data processing happens in the backend (server side) and which of the processing happens on the client side? I am asking this due to security considerations.

When performing a "query", I guess this is definitely a backend operation.
What happens to all other data manipulation inside a component e.g. when having a table component and manipulating the "data" attribute via Javascript. Does that happen on the backend as well?

So mainly the question:
Which of the procesing happens on the client side and therefore needs special awareness for security considerations.

Thanks a lot.

Hey Stefan!

All Javascript inside of a Retool app is processed on the frontend. We execute all JS in a separate iframe, on a different domain to prevent editors from injecting malicious scripts to end users. Query JSON w/ SQL queries are also run locally, as they are just executing the alasql library.

All resource queries are executed from the Retool backend, where your authentication is stored encrypted and applied to outgoing requests. From there, the return is forwarded to the fronted to be manipulated with JS and used in the app.


Thanks for the fast answer Alex.

That means, if my resource query returns any sensitive data, you would probably recommend using a transformer to filter out that data (or even at database query level) before populating it to the frontend?

Ideally, you would be having your backend only return data that you are comfortable having available in the user's browser since the return is sent there to be processed with JS and rendered to the user