Skip to main content

Security

Retestr.ai is designed with security as a first-class citizen, ensuring your test data, secrets, and infrastructure are protected.

Project Secrets

Never hardcode passwords or API keys in your test scripts. Retestr provides a secure Project Secrets manager.

  1. Navigate to Project Settings > Secrets.
  2. Add a new secret (e.g., TEST_USER_PASSWORD).
  3. Retestr encrypts this value using AES-256-GCM before storing it in the database.
  4. When a test runs, the secret is decrypted and injected into the Runner's environment variables.
  5. Access it in your script via process.env.TEST_USER_PASSWORD.

Role-Based Access Control (RBAC)

Manage who can access your projects and what they can do.

RolePermissions
AdminFull access. Can manage billing, delete projects, and invite members.
EditorCan create/edit tests, run tests, and approve baselines. Cannot manage billing or delete projects.
ViewerRead-only access to test results and dashboards. Cannot modify tests or approve changes.

API Keys

For CI/CD integration, we recommend using Scoped API Keys instead of your personal user credentials.

  1. Navigate to User Settings > API Keys.
  2. Create a new key with specific scopes:
    • run:write: Allows triggering new test runs.
    • baseline:read: Allows fetching baseline images.
  3. Use this key in your CI pipeline (e.g., GitHub Actions) via the RETESTR_API_KEY environment variable.

Data Protection

HAR Sanitizer Middleware

When debugging network issues, HAR (HTTP Archive) files are invaluable but often contain sensitive data like Session Cookies or Authorization Headers.

Retestr includes a built-in HAR Sanitizer that automatically runs on the Runner before any artifact is uploaded to the server.

  • What it does: Scans .har files for common sensitive keys (Authorization, Cookie, Set-Cookie, X-Auth-Token).
  • Action: Replaces the values with [REDACTED].
  • Configurable: Enterprise customers can define custom keys to redact via the HAR_REDACT_KEYS environment variable on self-hosted runners.

Compliance (Enterprise Plan)

Audit Logs

We maintain a comprehensive audit log of all critical actions within your organization, including:

  • User logins and failed attempts.
  • Test case creations, updates, and deletions.
  • Baseline approvals (who approved what and when).
  • Plan changes and billing updates.

These logs are immutable and can be exported for compliance reviews.