Replit
Replit app security: what to check before you deploy
Replit Agent can build and deploy a full app from a prompt — which makes it the fastest route from idea to exposed API key on the public internet. Here's the pre-deploy routine for Replit builders.
1. Use Replit Secrets, not code
Replit has a built-in Secrets tab that injects environment variables safely. The problem: AI-generated code often ignores it and hardcodes keys anyway, and Replit projects are frequently public by default — meaning your code (and any key inside) is readable by anyone browsing Replit. Search your project for sk_live, sk-, and quoted key strings; move every hit into Secrets and rotate the key.
2. Check your project visibility
Public Repls expose all source code. If your app has any secrets history or business logic you care about, make the Repl private — and remember that anything ever committed while public should be treated as compromised.
3. Database rules still apply
Replit apps commonly pair with Supabase, Neon, or Replit's own database. Whatever the backend: access rules must live server-side. If the generated code filters data in the frontend, any visitor can query past the filter.
4. The deployed URL is scannable
Once deployed, your app has a public URL — test it logged out, check that private routes actually block access, and confirm security headers exist. VibeSafe's live URL scan checks headers, exposed paths, and CORS configuration on the running app.
The pre-deploy checklist
- All secrets in Replit Secrets, none in code — old keys rotated
- Repl visibility reviewed (private unless intentionally public)
- Database access rules enabled and tested logged-out
- Dependencies verified — no hallucinated or vulnerable packages
- Code scan + live URL scan pass with no criticals
3 free scans every month · Your code is never stored
Related: