Retool

Security scanning for Retool apps

Retool apps power internal tools at thousands of teams — but the line between "internal tool" and "publicly shared link" gets crossed accidentally. Run a scan to verify the public URL is what you think it is.

Most common issues

  1. 01Shared Retool app URLs accessible without auth, exposing internal queries
  2. 02Resources connected with overly broad credentials (admin DB user instead of read-only)
  3. 03Custom JS components leaking secrets via window globals

What SafeToShip checks for Retool

  • js-secrets
  • headers
  • ssl
  • tech-detect
  • exposed-files

FAQ

Frequently asked questions

Are Retool shared links public?
They are accessible to anyone with the link unless you require login. Check Settings → Sharing → make sure "Require login" is ON for any app touching real data.
How do I scope Retool resource credentials properly?
Create a dedicated Retool DB user with only the permissions the app needs (often just SELECT on specific tables). Never connect with the master credential.

Fix guides

Common Retool fixes

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Read more

Run a Retool security scan

Free. 70+ checks. 60 seconds.