Replit deployment pre-launch security checklist
Replit shines for prototypes — and many prototypes ship to production unchanged. If your Repl is in a public workspace, your source code (and any committed secrets) are public too. Walk this list before you tweet the URL.
10 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
Repl workspace set to Private
CriticalPublic Repls expose full source code at /repls/$repl-name.
Detector: tech-detect
All secrets in the Secrets tab, never hardcoded
CriticalDetector: js-secrets
.env not committed and not deployed
CriticalDetector: exposed-files
CSP set via your framework
HighDetector: headers
HSTS set on the deployed Replit Deployment
HighDetector: headers
Cookies Secure + HttpOnly + SameSite
HighDetector: cookies
CORS not wildcard for credentialed routes
CriticalDetector: cors
Auth verified server-side, not just client gating
HighDetector: tech-detect
Rate limiting on hot endpoints
MediumDetector: rate-limit
Valid TLS on the Deployment URL
HighDetector: ssl
Paste this into Replit
One prompt that runs the entire checklist as a code review pass.
Audit my Replit Deployment: confirm the Repl workspace is private (public Repls expose source code), move every secret to the Secrets tab and reference via process.env, prevent .env from being committed, set CSP and HSTS via your framework, set Secure+HttpOnly+SameSite on session cookies, replace wildcard CORS with explicit origins on credentialed routes, confirm auth is verified server-side on every protected handler, add rate limiting on hot endpoints, and verify the TLS certificate.FAQ
Frequently asked questions
- Are private Replit workspaces actually private?
- Yes — only your account (and invited collaborators) can view the source. The deployed app remains publicly accessible at its URL but the source code is no longer scrapeable.
- Where do I add CSP headers in a Replit deployment?
- In your framework code: Express → res.setHeader; Next.js → next.config.js headers or middleware; FastAPI → Starlette middleware. Replit itself does not inject security headers automatically.
Per-issue depth
Fix guides for this checklist
Hardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read moreExposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read moreMissing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.