How to do a security audit of a Retool app?

Why a Retool-specific audit (not a generic web audit)

A generic OWASP audit will tell you your Retool app "needs CSP headers." A Retool-aware audit tells you that your specific Retool app has an RPC function callable without auth or a service key in a client bundle — the issues that actually appear when Retool apps get compromised. The difference in output value is why the audit should be scoped to Retool's real failure modes.

Step 1 — Fingerprint the deployment

Confirm the Retool stack components: database (postgres, mongodb, supabase), hosting, auth provider, third-party integrations. For Retool apps this is often visible in the Supabase endpoint URL in network requests. Document every component — each is an independent audit target.

Step 2 — Automated scan with Retool-aware rules

Run VAS against the deployed URL. The scan probes the specific issue classes found in Retool apps: resources, queries, access control, audit logs. This is the 80/20 — most critical and high findings surface here. Fix anything critical before continuing to manual steps.

Step 3 — Manual Row Level Security (RLS) policies review

Open the Supabase dashboard → Authentication → Policies. For each table: is RLS enabled? Do policies check `(select auth.uid()) = user_id` or equivalent? Are there policies scoped to the anon role that shouldn't exist? The automated scan catches missing RLS; this step catches overly permissive RLS — a subtler but equally dangerous failure mode.

Step 4 — Authentication & authorization probing

Test every endpoint with no session (expect 401), with a valid session for a different user (expect 403 on user-owned resources), and with session tokens that have been tampered with (expect 401 if signatures are enforced). Rate limiting on login/password-reset is a pass/fail check here, not a nuance.

Step 5 — Re-scan to verify

Fix findings in severity order (critical → high → medium → low), re-scan after each batch of fixes. "I applied the fix" is not evidence — the fix might not have been deployed, might have been partial, or might have been reverted. Only the scan output proves the gap is closed. Log each finding + fix + verification scan for compliance records.

Retool-specific checks often missed

• Resource connection security (fix: Scan your deployed application with a security tool that understands this stack)
• Query parameter injection (fix: Use parameterized queries, sanitize all user input, and render dynamic content with framework escaping (React JSX, not dangerouslySetInnerHTML))
• Access control configuration (fix: Enable Row Level Security (Supabase) or Security Rules (Firebase) on every table)
• Audit logging requirements (fix: Enable audit logging for all data access and admin operations)