Security hardening best practices
Learn about security hardening options for self-hosted Retool.
Retool provides different security hardening options that you can customize. Use the following best practices when evaluating and configuring your deployment according to your use case, threat model, and risk assessment.
If you deploy Retool on Kubernetes, review your hosting provider’s documentation:
Increase security of your deployment
Retool uses environment variables to control certain functions and characteristics for self-hosted deployments. Use the following environment variable recommendations to improve security hardening.
Set a strong encryption key
Retool encrypts sensitive values like API credentials in its internal database. Set the ENCRYPTION_KEY environment variable to a cryptographically random value. If you have the OpenSSL CLI installed, generate this value with this command: openssl rand -base64 32.
Set a strong JWT secret
Retool uses a JSON web token (JWT) to sign requests for authentication with Retool's backend API server. If changed, all active user login sessions are invalidated. Set the JWT_SECRET environment variable to a cryptographically random value. If you have the OpenSSL CLI installed, you can generate this value using this command: openssl rand -base64 32.
Disable public apps
Retool supports sharing apps publicly using a public link. If you want to prevents apps from being shared publicly, set DISABLE_PUBLIC_PAGES to disable public apps and DISABLE_IMAGE_PROXY to disable the proxy used for public apps.
Disable app editing in production
When using source control to promote apps between development and production instances, set VERSION_CONTROL_LOCKED to disable creating and editing apps in the production environment. This forces app changes to be made using source control.
Enable short sessions
Retool sessions are valid for one week by default. Set USE_SHORT_SESSIONS to restrict session length to 12 hours instead.
Increase security for your users
Configuring authentication options ensures only your users have access to Retool. In addition to single sign-on (SSO) support, you can require strong passwords and two-factor authentication (2FA).
Single sign-on
Retool supports SSO to enable users to securely access multiple applications and services using one set of credentials. See the SSO documentation to set up SSO with your identity provider.
Disable username and password login
You can disable Retool's built-in authentication method (email address and password) and require that all users log in using SSO by setting the DISABLE_USER_PASS_LOGIN environment variable. Make sure to set this variable if you use SSO exclusively.
Require strong passwords for login
Navigate to Settings > Beta to enable Require Strong Password for Login. This requires passwords to have:
- A minimum of 12 characters.
- One uppercase letter.
- One lowercase letter.
- One number.
- One special character.
Require two-factor authentication
You can require 2FA in Retool by navigating to Settings > Advanced and enabling Require Two Factor Authentication. Users can set up 2FA using either TOTP or FIDO2 hardware keys.
Limit default permissions��
Retool’s permissions system lets you configure permission controls for apps, resources, and workflows. Retool recommends enforcing least privilege for the All users group and selectively adding permission groups as needed for users.
Respond to compromised accounts
If a user’s account is compromised, consider taking the following steps:
- Disable the user to mitigate the current risk.
- Review audit logs to identify suspicious account behavior such as:
- User sign-in events.
- Query runs.
- User invites.
- Password resets.
- Enable two-factor authentication for the user, and consider requiring 2FA for your organization.
After completing an investigation and mitigating the immediate impact, enable the user.
Prevent query variable spoofing
Prevent query variable spoofing is enabled by default. This prevents users from manipulating network requests and passing in arbitrary values to prepared statements. Confirm this is setting is enabled by navigating to Settings > Beta.
Keep your deployment up to date
You are responsible for updating self-hosted instances and for the security of your underlying hosts. You can subscribe to Retool's changelog using RSS or JSON to stay up to date with releases.
Monitor audit logs
Actions that users take within Retool are stored in audit logs. You can also write these actions to container logs and pipe them into your observability tooling by setting the LOG_AUDIT_EVENTS environment variable.