> ## Documentation Index
> Fetch the complete documentation index at: https://docs.replit.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Security checklist for vibe coding
> Follow this comprehensive security checklist to ensure your vibe coded applications follow best security practices.
This guide provides a comprehensive security checklist to ensure your vibe coded applications follow best security practices.
While Replit provides many security features [out of the box](/tutorials/vibe-code-securely), it's important to understand and implement more security measures for your specific application needs.
## Prerequisites
* A Replit account
* Basic understanding of your preferred programming language
* Familiarity with the Project Editor
* An application you're building on Replit
## Front-end security
Replit uses HTTPS by default for all applications. So you don't need to worry about it!
Always validate and sanitize user input to prevent cross-site scripting (XSS) attacks:
```javascript theme={null}
// Bad: Direct use of user input
element.innerHTML = userInput;
// Good: Sanitize input before using
import { sanitize } from 'some-sanitizer-library';
element.innerHTML = sanitize(userInput);
```
Switch to [Lite mode](/core-concepts/agent/agent-modes) and ask Agent:
```
Help me validate and sanitize inputs to protect against XSS attacks
```
You should use Replit Secrets to store sensitive information like API keys.
Be sure you don't pass secrets to the client side or put them in the following places:
* Local storage
* Session storage
* Client-side JavaScript
* Cookies without proper security attributes
Switch to [Lite mode](/core-concepts/agent/agent-modes) and ask Agent:
```
Help me keep sensitive data out of the browser. Am I doing this correctly?
```
Implement Cross-Site Request Forgery (CSRF) protection for forms:
```javascript theme={null}
// Example of CSRF token implementation
const csrfToken = generateToken();
session.csrfToken = csrfToken;
```
Switch to [Lite mode](/core-concepts/agent/agent-modes) and ask Agent:
```
Help me implement CSRF tokens for forms
```
## Back-end security
When implementing authentication:
* Use Replit Auth when possible
* If building custom auth, use established libraries
* Never store plain text passwords
Ask Agent:
```
Help me implement authentication for my application with Replit Auth
```
Always verify permissions before performing actions:
```javascript theme={null}
// Example authorization check
if (!user.canAccess(resource)) {
return res.status(403).send('Access denied');
}
```
Ask Agent:
```
Help me implement authorization checks for my application
```
Secure your API endpoints:
* Add authentication to sensitive endpoints
* Implement proper CORS settings
* Consider rate limiting
Switch to [Lite mode](/core-concepts/agent/agent-modes) and ask Agent:
```
How do I properly authenticate endpoints in my app?
```
Agent uses ORMs by default, which helps prevent SQL injection. If writing custom database queries:
```javascript theme={null}
// Bad: String concatenation in queries
db.query(`SELECT * FROM users WHERE username = '${username}'`);
// Good: Parameterized queries with ORM
db.query('SELECT * FROM users WHERE username = ?', [username]);
```
Add important security headers to your application:
```html theme={null}
```
You can scan your site at [securityheaders.com](https://securityheaders.com) for recommendations.
Switch to [Lite mode](/core-concepts/agent/agent-modes) and ask Agent:
```
Can you add the security headers to my application?
```
## Ongoing security practices
Regularly check for outdated packages that might have vulnerabilities:
```bash theme={null}
npm audit
```
Don't expose sensitive information in error messages:
```javascript theme={null}
// Bad: Exposing sensitive details
catch (err) {
res.status(500).send(`Database error: ${err.message}`);
}
// Good: Generic error message
catch (err) {
console.error(err); // Log internally
res.status(500).send('An error occurred');
}
```
Ask Agent:
```
Help me implement proper error handling for my application
```
When using cookies:
* Set HttpOnly flag to prevent JavaScript access
* Use Secure attribute to require HTTPS
* Implement SameSite attribute to prevent CSRF
Ask Agent:
```
Help me secure my cookies for my application
```
If your application allows file uploads:
* Restrict file types and sizes
* Scan for malware if possible
* Store files in Replit's object storage
* Generate new filenames rather than using user-provided ones
Ask Agent:
```
Help me secure my file uploads for my application
```
Implement rate limiting for API endpoints, especially authentication-related ones:
```javascript theme={null}
// Example rate limiting middleware
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
app.use('/api/', limiter);
```
Ask Agent:
```
Help me implement rate limiting for my application
```
## Checklist
Here's the above in a checklist to help you stay on top of your security practices.
## Front-end security
| | Security Measure | Description |
| - | ----------------------------------------- | ---------------------------------------------------------------- |
| ☐ | Use HTTPS everywhere | Prevents basic eavesdropping and man-in-the-middle attacks |
| ☐ | Input validation and sanitization | Prevents XSS attacks by validating all user inputs |
| ☐ | Don't store sensitive data in the browser | No secrets in local storage or client-side code |
| ☐ | CSRF protection | Implement anti-CSRF tokens for forms and state-changing requests |
| ☐ | Never expose API keys in frontend | API credentials should always remain server-side |
## Back-end security
| | Security Measure | Description |
| - | --------------------------- | --------------------------------------------------------------------- |
| ☐ | Authentication fundamentals | Use established libraries, proper password storage (hashing+salting) |
| ☐ | Authorization checks | Always verify permissions before performing actions |
| ☐ | API endpoint protection | Implement proper authentication for every API endpoint |
| ☐ | SQL injection prevention | Use parameterized queries or ORMs, never raw SQL with user input |
| ☐ | Basic security headers | Implement X-Frame-Options, X-Content-Type-Options, and HSTS |
| ☐ | DDoS protection | Use a CDN or cloud service with built-in DDoS mitigation capabilities |
## Practical security habits
| | Security Measure | Description |
| - | ------------------------- | ---------------------------------------------------------------------- |
| ☐ | Keep dependencies updated | Most vulnerabilities come from outdated libraries |
| ☐ | Proper error handling | Don't expose sensitive details in error messages |
| ☐ | Secure cookies | Set HttpOnly, Secure and SameSite attributes |
| ☐ | File upload security | Validate file types, sizes, and scan for malicious content |
| ☐ | Rate limiting | Implement on all API endpoints, especially authentication-related ones |