Skip to main content

Security hardening best practices

Learn about security hardening options for self-hosted Retool.

Self-hosted Retool Availability
Self-hosted EdgeGenerally Available
Self-hosted StableGenerally Available

Retool provides different security hardening options that you can customize. Use the following best practices when evaluating and configuring your deployment according to your use case, threat model, and risk assessment.

If you deploy Retool on Kubernetes, review your hosting provider’s documentation:

Increase security of your deployment

Retool uses environment variables to control certain functions and characteristics for self-hosted deployments. Use the following environment variable recommendations to improve security hardening.

Set a strong encryption key

Retool encrypts sensitive values like API credentials in its internal database. Set the ENCRYPTION_KEY environment variable to a cryptographically random value. If you have the OpenSSL CLI installed, generate this value with this command: openssl rand -base64 32.

Set a strong JWT secret

Retool uses a JSON web token (JWT) to sign requests for authentication with Retool's backend API server. If changed, all active user login sessions are invalidated. Set the JWT_SECRET environment variable to a cryptographically random value. If you have the OpenSSL CLI installed, you can generate this value using this command: openssl rand -base64 32.

Disable public apps

Retool supports sharing apps publicly using a public link. If you want to prevents apps from being shared publicly, set DISABLE_PUBLIC_PAGES to disable public apps and DISABLE_IMAGE_PROXY to disable the proxy used for public apps.

Disable app editing in production

When using source control to promote apps between development and production instances, set VERSION_CONTROL_LOCKED to disable editing for all elements (apps, workflows, resources, etc.) in the production environment. This forces app changes to be made using source control. Admins can still delete unprotected elements.

Enable short sessions

Retool sessions are valid for one week by default. Set USE_SHORT_SESSIONS to restrict session length to 12 hours instead.

Increase security for your users

Configuring authentication options ensures only your users have access to Retool. In addition to single sign-on (SSO) support, you can require strong passwords and two-factor authentication (2FA).

Single sign-on

Retool supports SSO to enable users to securely access multiple applications and services using one set of credentials. See the SSO documentation to set up SSO with your identity provider.

Disable username and password login

You can disable Retool's built-in authentication method (email address and password) and require that all users log in using SSO by setting the DISABLE_USER_PASS_LOGIN environment variable. Make sure to set this variable if you use SSO exclusively.

Require strong passwords for login

Navigate to Settings > Beta to enable Require Strong Password for Login. This requires passwords to have:

  • A minimum of 12 characters.
  • One uppercase letter.
  • One lowercase letter.
  • One number.
  • One special character.

Require two-factor authentication

You can require 2FA in Retool by navigating to Settings > Advanced and enabling Require Two Factor Authentication. Users can set up 2FA using either TOTP or FIDO2 hardware keys.

Limit default permissions

Retool’s permissions system lets you configure permission controls for apps, resources, and workflows. Retool recommends enforcing least privilege for the All users group and selectively adding permission groups as needed for users.

Respond to compromised accounts

If a user’s account is compromised, consider taking the following steps:

After completing an investigation and mitigating the immediate impact, enable the user.

Prevent query variable spoofing

Prevent query variable spoofing is enabled by default. This prevents users from manipulating network requests and passing in arbitrary values to prepared statements. Confirm this is setting is enabled by navigating to Settings > Beta.

Keep your deployment up to date

You are responsible for updating self-hosted instances and for the security of your underlying hosts. You can subscribe to Retool's changelog using RSS or JSON to stay up to date with releases.

Monitor audit logs

Actions that users take within Retool are stored in audit logs. You can also write these actions to container logs and pipe them into your observability tooling by setting the LOG_AUDIT_EVENTS environment variable.