Matt Palmer
Head of Developer RelationsPrerequisites
- A Replit account
- Basic understanding of your preferred programming language
- Familiarity with the Replit Workspace
- An application you’re building on Replit
Front-end security
HTTPS everywhere
HTTPS everywhere
Replit uses HTTPS by default for all applications. So you don’t need to worry about it!
Input validation and sanitization
Input validation and sanitization
Always validate and sanitize user input to prevent cross-site scripting (XSS) attacks:You can ask Assistant:
Keep sensitive data out of the browser
Keep sensitive data out of the browser
You should use Replit Secrets to store sensitive information like API keys.Be sure you don’t pass secrets to the client side or put them in the following places:
- Local storage
- Session storage
- Client-side JavaScript
- Cookies without proper security attributes
CSRF protection
CSRF protection
Implement Cross-Site Request Forgery (CSRF) protection for forms:You can ask Agent / Assistant:
Back-end security
Authentication fundamentals
Authentication fundamentals
When implementing authentication:
- Use Replit Auth when possible
- If building custom auth, use established libraries
- Never store plain text passwords
Authorization checks
Authorization checks
API endpoint protection
API endpoint protection
Secure your API endpoints:
- Add authentication to sensitive endpoints
- Implement proper CORS settings
- Consider rate limiting
SQL injection prevention
SQL injection prevention
Agent uses ORMs by default, which helps prevent SQL injection. If writing custom database queries:
Security headers
Security headers
Add important security headers to your application:You can scan your site at securityheaders.com for recommendations.Ask Assistant:
Ongoing security practices
Keep dependencies updated
Keep dependencies updated
Regularly check for outdated packages that might have vulnerabilities:
Proper error handling
Proper error handling
Don’t expose sensitive information in error messages:Ask Agent:
Secure cookies
Secure cookies
File upload security
File upload security
If your application allows file uploads:
- Restrict file types and sizes
- Scan for malware if possible
- Store files in Replit’s object storage
- Generate new filenames rather than using user-provided ones
Rate limiting
Rate limiting
Implement rate limiting for API endpoints, especially authentication-related ones:Ask Agent:
Checklist
Here’s the above in a checklist to help you stay on top of your security practices.Front-end security
| Security Measure | Description | |
|---|---|---|
| ☐ | Use HTTPS everywhere | Prevents basic eavesdropping and man-in-the-middle attacks |
| ☐ | Input validation and sanitization | Prevents XSS attacks by validating all user inputs |
| ☐ | Don’t store sensitive data in the browser | No secrets in local storage or client-side code |
| ☐ | CSRF protection | Implement anti-CSRF tokens for forms and state-changing requests |
| ☐ | Never expose API keys in frontend | API credentials should always remain server-side |
Back-end security
| Security Measure | Description | |
|---|---|---|
| ☐ | Authentication fundamentals | Use established libraries, proper password storage (hashing+salting) |
| ☐ | Authorization checks | Always verify permissions before performing actions |
| ☐ | API endpoint protection | Implement proper authentication for every API endpoint |
| ☐ | SQL injection prevention | Use parameterized queries or ORMs, never raw SQL with user input |
| ☐ | Basic security headers | Implement X-Frame-Options, X-Content-Type-Options, and HSTS |
| ☐ | DDoS protection | Use a CDN or cloud service with built-in DDoS mitigation capabilities |
Practical security habits
| Security Measure | Description | |
|---|---|---|
| ☐ | Keep dependencies updated | Most vulnerabilities come from outdated libraries |
| ☐ | Proper error handling | Don’t expose sensitive details in error messages |
| ☐ | Secure cookies | Set HttpOnly, Secure and SameSite attributes |
| ☐ | File upload security | Validate file types, sizes, and scan for malicious content |
| ☐ | Rate limiting | Implement on all API endpoints, especially authentication-related ones |