Security scanner

Security Scanner for Replit Apps

Replit apps have a unique threat model — your source code may be publicly visible, secrets can end up in version history, and SSL configuration is often overlooked. VibeScan scans your live Replit app and flags what is exposed before attackers find it.

https://

✓ Free  ·  ✓ No login required  ·  ✓ Results in under 60 seconds

89%
of Replit apps have at least one critical issue
< 60s
to get your full report
5 checks
run automatically on every scan
Free
no credit card, no account
Common vulnerabilities

The security issues we find in most Replit apps

Replit is built for speed and collaboration — which means your source code and environment can be more exposed than you realize. From public repls to hardcoded secrets, Replit apps have unique security challenges that VibeScan helps you catch.

Public repl exposing your full source code
Replit repls are public by default. If you have not explicitly made your repl private, anyone can visit your repl URL and read every line of your code — including API keys, database queries, and business logic. This is one of the most common sources of credential exposure for Replit apps.
Secrets stored in .env files committed to the repl
Replit provides a Secrets panel for environment variables, but developers often start with a .env file that gets committed to the repl. If the repl is public, that .env file is visible to anyone. Even if you switch to Secrets later, the history may still contain the values.
Missing HTTPS on custom domains
Replit apps on the default replit.app domain use HTTPS automatically. But when you point a custom domain, SSL configuration is your responsibility. Without HTTPS, all data between your app and your users — including passwords and payment information — is transmitted in plaintext.
SQLite or file-based databases accessible via known paths
Some Replit apps use file-based databases (SQLite, JSON files) stored in the repl directory. If the file path is guessable and the repl is public, the entire database may be downloadable. This is particularly common in apps built with Express and a local database.
process.env values referenced in client-side code
Replit apps sometimes bundle server-side environment variables into client code — especially when using frameworks that run on both client and server. Any environment variable that reaches the browser is visible to your users.
No authentication on Replit deployment endpoints
Replit apps deployed as web servers often have API routes without authentication. If the app stores user data, sends emails, or processes any kind of sensitive operation, unauthenticated endpoints can be called by anyone who finds the URL.
What VibeScan checks

Every scan runs 8 automated checks

VibeScan looks at everything publicly visible in your Replit app — the same things an attacker would look at on day one.

  • HTTPS enforcement — detects HTTP deployment on custom domains
  • Security headers — checks X-Frame-Options, CSP, HSTS, X-Content-Type-Options
  • Exposed secrets — scans page source for API keys, tokens, database strings
  • CORS configuration — flags wildcard origin policies
  • Robots.txt — identifies sensitive paths exposed to crawlers
  • JWT and Bearer token detection in client-side JavaScript
  • Supabase and database credential exposure
  • Mixed content check — HTTP resources on HTTPS pages
Scan your Replit app now

Paste your app URL and get a full security report in under 60 seconds. Free, no signup.

https://
FAQ

Common questions about Replit security

How do I make my Replit app private so the source code is not visible?
In Replit, go to your repl → click the padlock icon next to the repl name → set visibility to Private. Note that this requires a Replit Core subscription. Alternatively, move to a different deployment platform if you need the repl itself to remain public for collaboration.
Should I use Replit Secrets or a .env file for my API keys?
Always use Replit Secrets (the padlock icon in the sidebar). Secrets are never visible in the repl files and are encrypted at rest. A .env file is just a regular file — if your repl is public, it is public too.
How do I add HTTPS to my Replit app with a custom domain?
Replit handles HTTPS automatically for custom domains when you connect them through the Deployments settings. Make sure you are using Replit Deployments (not the old "Always On" feature) and that your DNS is pointing to Replit's servers correctly.
Can VibeScan see my Replit source code?
No. VibeScan only scans what is publicly visible in your deployed app — the HTTP response headers, the rendered HTML, and the page source loaded by a browser. It does not access your repl directly or read your files.
My Replit app has real users and payments. What should I do first?
Immediately: (1) make your repl private, (2) move all secrets to Replit Secrets, (3) verify HTTPS is working on your custom domain, (4) run a VibeScan scan to catch anything else. If you have a Stripe integration, check that the secret key is not in any client-side code.

Is your Replit app secure?

Paste your URL. Get a full security report in under 60 seconds — free, no login required.

Scan my Replit app free →