Replit Docs

Matt Palmer

Head of Developer Relations

This guide provides a comprehensive security checklist to ensure your vibe coded applications follow best security practices.

While Replit provides many security features out of the box, it’s important to understand and implement more security measures for your specific application needs.

Prerequisites

A Replit account
Basic understanding of your preferred programming language
Familiarity with the Replit Workspace
An application you’re building on Replit

Front-end security

Always validate and sanitize user input to prevent cross-site scripting (XSS) attacks:

// Bad: Direct use of user input
element.innerHTML = userInput;

// Good: Sanitize input before using
import { sanitize } from 'some-sanitizer-library';
element.innerHTML = sanitize(userInput);

You can ask Assistant:

Help me validate and sanitize inputs to protect against XSS attacks

You should use Replit Secrets to store sensitive information like API keys.

Be sure you don’t pass secrets to the client side or put them in the following places:

Local storage
Session storage
Client-side JavaScript
Cookies without proper security attributes

You can ask Assistant / Agent:

Help me keep sensitive data out of the browser. Am I doing this correctly?

Implement Cross-Site Request Forgery (CSRF) protection for forms:

// Example of CSRF token implementation
const csrfToken = generateToken();
session.csrfToken = csrfToken;

You can ask Agent / Assistant:

Help me implement CSRF tokens for forms

Back-end security

When implementing authentication:

Use Replit Auth when possible
If building custom auth, use established libraries
Never store plain text passwords

Ask Agent:

Help me implement authentication for my application with Replit Auth

Always verify permissions before performing actions:

// Example authorization check
if (!user.canAccess(resource)) {
  return res.status(403).send('Access denied');
}

Ask Agent:

Help me implement authorization checks for my application

Agent uses ORMs by default, which helps prevent SQL injection. If writing custom database queries:

// Bad: String concatenation in queries
db.query(`SELECT * FROM users WHERE username = '${username}'`);

// Good: Parameterized queries with ORM
db.query('SELECT * FROM users WHERE username = ?', [username]);

Add important security headers to your application:

<!-- In index.html or through your back-end -->
<meta http-equiv="X-Frame-Options" content="DENY">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

You can scan your site at securityheaders.com for recommendations.

Ask Assistant:

Can you add the security headers to my application?

Ongoing security practices

Don’t expose sensitive information in error messages:

// Bad: Exposing sensitive details
catch (err) {
  res.status(500).send(`Database error: ${err.message}`);
}

// Good: Generic error message
catch (err) {
  console.error(err); // Log internally
  res.status(500).send('An error occurred');
}

Ask Agent:

Help me implement proper error handling for my application

When using cookies:

Set HttpOnly flag to prevent JavaScript access
Use Secure attribute to require HTTPS
Implement SameSite attribute to prevent CSRF

Ask Agent:

Help me secure my cookies for my application

If your application allows file uploads:

Restrict file types and sizes
Scan for malware if possible
Store files in Replit’s object storage
Generate new filenames rather than using user-provided ones

Ask Agent:

Help me secure my file uploads for my application

Implement rate limiting for API endpoints, especially authentication-related ones:

// Example rate limiting middleware
const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});

app.use('/api/', limiter);

Ask Agent:

Help me implement rate limiting for my application

Checklist

Here’s the above in a checklist to help you stay on top of your security practices.

Front-end security

	Security Measure	Description
☐	Use HTTPS everywhere	Prevents basic eavesdropping and man-in-the-middle attacks
☐	Input validation and sanitization	Prevents XSS attacks by validating all user inputs
☐	Don’t store sensitive data in the browser	No secrets in local storage or client-side code
☐	CSRF protection	Implement anti-CSRF tokens for forms and state-changing requests
☐	Never expose API keys in frontend	API credentials should always remain server-side

Back-end security

	Security Measure	Description
☐	Authentication fundamentals	Use established libraries, proper password storage (hashing+salting)
☐	Authorization checks	Always verify permissions before performing actions
☐	API endpoint protection	Implement proper authentication for every API endpoint
☐	SQL injection prevention	Use parameterized queries or ORMs, never raw SQL with user input
☐	Basic security headers	Implement X-Frame-Options, X-Content-Type-Options, and HSTS
☐	DDoS protection	Use a CDN or cloud service with built-in DDoS mitigation capabilities

Practical security habits

	Security Measure	Description
☐	Keep dependencies updated	Most vulnerabilities come from outdated libraries
☐	Proper error handling	Don’t expose sensitive details in error messages
☐	Secure cookies	Set HttpOnly, Secure and SameSite attributes
☐	File upload security	Validate file types, sizes, and scan for malicious content
☐	Rate limiting	Implement on all API endpoints, especially authentication-related ones

Agent & Assistant

Security

MCP

Deployments

Start from a template

Data storage

Security checklist for vibe coding

Matt Palmer

Prerequisites

Front-end security

Back-end security

Ongoing security practices

Checklist

Front-end security

Back-end security

Practical security habits

Agent & Assistant

Security

MCP

Deployments

Start from a template

Data storage

Matt Palmer

​Prerequisites

​Front-end security

​Back-end security

​Ongoing security practices

​Checklist

​Front-end security

​Back-end security

​Practical security habits

Prerequisites

Front-end security

Back-end security

Ongoing security practices

Checklist

Front-end security

Back-end security

Practical security habits