HOW TO SECURE REPLIT - SECURITY GUIDE | VIBEEVAL

Replit Security Considerations

Replit has two distinct risks. First, the platform itself: public Repls expose your full source code (and any secret you accidentally hardcoded) to anyone with the URL. Second, the Agent: Replit’s AI generator inherits the same default-insecure patterns we see across Lovable / Bolt / Cursor — missing auth, missing rate limits, leaked keys. The first is a one-time settings check; the second is the same recurring audit.

Security Checklist

1. Use Replit Secrets, never hardcode

Open the Repl → left sidebar → Tools → Secrets. Add every API key, DB credential, JWT secret here — never in code, never in .env files committed to the Repl. Reference them as process.env.MY_KEY (Node) or os.environ['MY_KEY'] (Python). Secrets stored in the Secrets tab are not visible in public Repls; secrets in code are.

2. Make sensitive Repls private

A public Repl is a public GitHub repo: anyone can read the source, fork it, and read every commit. Repl settings → Privacy → Private moves it behind your account. This requires a paid plan; if you’re on free, assume everything in the Repl is world-readable and never put a real secret in code.

3. Review Agent-generated code before deploying

The Replit Agent is fast at producing working code and slow at producing secure code. After each Agent turn, scan the diff for: API routes without an auth check, SQL queries built by string concatenation, file reads driven by user input, and eval. The Agent’s first three files set the convention for everything after — fix the pattern early.

4. Configure authentication

If using Replit Auth: the X-Replit-User-Id header is set by Replit only when the user is logged in to your Repl. Your server must check this header on every protected route — frontend checks alone don’t help. If using Supabase / Firebase / Clerk: follow that provider’s setup, never trust an unverified email, set session expiry to ≤ 7 days.

5. Secure database connections

For PostgreSQL / MySQL / Mongo on Neon / Railway / etc., the connection string is a secret — store it in Tools → Secrets, not in the code. Use SSL: append ?sslmode=require to Postgres URLs, set ssl: true in the Mongo client. Never use localhost connection strings in production code; the Repl’s localhost is reachable from outside under specific conditions.

6. Audit public vs private status

Walk every Repl in your account: Account → My Repls → filter by Public. For each public Repl, ask: did I ever paste a real key, even in a comment? If yes, rotate the key now (the key is in git history forever). If you can’t remember, treat as exposed and rotate.

7. Configure deployment environment variables

Replit Deployments use a separate secrets store from the dev environment. Deployments → [your deployment] → Configuration → Secrets — add every secret here as well. A common bug: works in dev (Secrets tab is set), 500s in production (Deployments secrets are empty).

8. Validate user inputs

Add length limits and type checks server-side. The Agent-generated form typically has no validation; an attacker doesn’t use the form. Use Zod (Node) or Pydantic (Python) on the request body, return 400 on invalid input. See mass assignment for the field-stripping pattern that prevents privilege escalation.

9. Enable HTTPS — verify the deployment

Replit Deployments are HTTPS by default. Verify by hitting http://your-deployment.replit.app — it should redirect to https://. For custom domains, finish the cert setup in the Deployment dashboard before sending users to the URL.

10. Audit package dependencies

Run npm audit (Node) or pip-audit (Python) in the Replit shell. AI-generated package.json files frequently include outdated versions or hallucinated package names. Check the Package Hallucination Scanner for the AI-specific subset.

11. Configure CORS for the deployment URL

If your Repl serves an API consumed by a separate frontend, set Access-Control-Allow-Origin to the frontend’s origin — not *, especially with credentials. The Agent often ships cors({ origin: '*', credentials: true }) which is a credential-stuffing pivot.

12. Strip stack traces in production

Wrap your error handler so production returns {"error": "Internal server error"} and logs the trace server-side via console.error. Use process.env.NODE_ENV === 'production' (or the Python equivalent) to gate.

13. Review file permissions

If your Repl serves user-uploaded files, set the storage path outside the public web root, and route every download through an auth-checked handler. A file at /public/uploads/[uuid].pdf is reachable by URL — the UUID is not security.

14. Enable rate limiting

Add express-rate-limit (Node) or slowapi (FastAPI) on /login, /signup, /reset-password. The default Agent-generated auth has no rate limit, which means an attacker can credential-stuff at line speed. Start with 10 requests per IP per minute on auth endpoints.

15. Test authentication flows

Sign up, verify, log in, log out, reset password, log in. Each step in a fresh incognito. Look for: tokens that survive logout, password resets that don’t expire, session cookies without Secure and HttpOnly. See auth flows for recurring shapes.

16. Run an automated security scan

The Vibe Code Scanner covers the AI-specific patterns: source maps in production, exposed .replit config files, debug routes left on, and the rest of the recon-surface findings.

Related Resources

Free Self-Audit Suite

Five free scanners covering RLS, leaked keys, headers, BOLA.

Vibe Coding Security Risk Guide

Full risk catalogue for AI-built apps.

Solo Founder Pre-Launch Checklist

12 checks before accepting your first paying user.

Automate Your Security Checks

Let VibeEval scan your Replit deployment against every category above plus the long tail. Each finding ships with a fix prompt you can paste back into the Agent for one-shot remediation.