Is Replit safe for production?

Production readiness checklist for Replit

Not a generic checklist — this is what fails in Replit apps specifically and therefore what production readiness actually requires:

1. **Secret Exposure** — Scans for API keys, database URLs, and credentials that may have leaked into client-side code or public files.

2. **Database Security** — Tests database connections for proper authentication and checks if data is properly protected.

3. **Deployment Config** — Checks your deployment configuration for security headers, HTTPS enforcement, and proper settings.

4. **Authentication** — Analyzes your auth implementation for weak passwords, session security, and common vulnerabilities.

5. **RLS on every table** — Run `select tablename, rowsecurity from pg_tables where schemaname='public'` — any row with `rowsecurity=false` is a production blocker.

Production blockers (must be resolved before launch)

• Credentials in Public Repls — Use Replit Secrets feature. Make Repls private if they contain any credentials.
• AI Agent Database Destruction — Review all AI agent actions. Use database backups. Don't give agent DB write access.

Each item here has been observed to cause data exposure in Replit apps. Shipping to real users without closing these is not a risk calculation — it's a breach waiting.

Go/no-go signal

Run a VAS scan. Zero critical + zero high findings = go. Any critical = absolute no-go. Any high = case-by-case depending on what data the app touches (a portfolio site ≠ a fintech app). This is a more reliable signal than "does it feel ready?" because feelings don't account for credentials in public repls.