How do I use Replit's Secrets feature correctly?

Replit Secrets are server-side env vars. Never `console.log` them from client code or assign them to frontend variables with a `PUBLIC_` prefix — that defeats the purpose.

Built with Replit?

Security scanning for Replit apps

Replit lets you build and deploy from your browser, but deployed Repls often leak secrets in client code and miss critical HTTPS configurations.

Free scan. No account required.

Common issues

Top vulnerabilities in Replit apps

These are the three most common security issues we find when scanning Replit projects.

Secrets and API keys accidentally included in client-side JavaScript

Missing HSTS headers leaving your app vulnerable to downgrade attacks

CORS misconfiguration allowing unauthorized cross-origin requests

How it works

60-second security audit

Paste your URL

Enter your Replit app URL. We handle the rest.

Get your score

10 security modules run in parallel against your live site.

Fix with AI prompts

Copy the fix prompts into your AI tool and ship secure.

10 security modules, one scan

Every scan checks security headers, SSL/TLS, exposed files, JavaScript secrets, Supabase & Firebase configs, CORS, cookies, email security, and tech detection.

See all security checks

Fix guides for Replit

Common Replit security fixes

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

CORS allows all origins

An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

FAQ

Replit security FAQ

How do I use Replit's Secrets feature correctly?: Replit Secrets are server-side env vars. Never `console.log` them from client code or assign them to frontend variables with a `PUBLIC_` prefix — that defeats the purpose.

Scan your Replit app now

Find security issues before your users do. It takes 60 seconds and your first scan is free.