What are Replit security best practices?

The best practices specific to Replit (not generic OWASP)

Every "security best practices" list tells you to use HTTPS and rotate keys. Those are table stakes. The list below is what actually matters for Replit apps, based on the risks that appear in real Replit deployments.

1. Use Replit Secrets feature

*Why:* API keys and passwords visible in public Repl source code. *Do this:* Use Replit Secrets feature. Make Repls private if they contain any credentials.

2. Review all AI agent actions

*Why:* Replit's AI agent can make unintended destructive database changes. *Do this:* Review all AI agent actions. Use database backups. Don't give agent DB write access.

3. Migrate all secrets to Replit Secrets tab immediately

*Why:* Developers using .env files instead of the proper Secrets feature. *Do this:* Migrate all secrets to Replit Secrets tab immediately.

4. Clear history

*Why:* Commands with secrets visible in Repl shell history. *Do this:* Clear history. Never type secrets in terminal commands.

5. Rotate all credentials when forking

*Why:* Forked Repls may carry over secrets from original. *Do this:* Rotate all credentials when forking. Verify Secrets are cleared.

Replit-specific: audit every table for RLS before every deploy

The failure mode in Replit + Supabase apps is always the same: a table gets added during a feature push, RLS never gets turned on, the full table becomes queryable via the anon key. Bake a pre-deploy check: `select tablename from pg_tables where schemaname = 'public' and not rowsecurity` — the result must be empty.

Verification

Even perfect best practices don't prove themselves — the only way to confirm the list above is implemented is to scan a deployed Replit app. VAS probes each of secret exposure, database security, deployment config, authentication by actually attempting the attack, not just reading headers or docs.