What security issues do Replit apps have?

Critical issues in Replit apps

• **Credentials in Public Repls**: API keys and passwords visible in public Repl source code. *(Observed: Common to find database passwords and API keys in publicly browsable Repls.)*
• **AI Agent Database Destruction**: Replit's AI agent can make unintended destructive database changes. *(Observed: The famous incident where Replit agent deleted a user's database.)*

High-severity issues

• **Secrets Not Using Replit Secrets**: Developers using .env files instead of the proper Secrets feature.
• **Fork Inheriting Secrets**: Forked Repls may carry over secrets from original.

Medium/low-severity issues

• **Shell History Exposure**: Commands with secrets visible in Repl shell history.

Why these are the issues specific to Replit

Replit apps ship with a recognizable stack (supabase, postgres, mongodb). The issue list above is what appears when you scan that specific combination. A Firebase-backed app would have a different top-5; a self-hosted Postgres deployment would have yet another. Context is everything.

What VAS checks in a Replit scan

• **Secret Exposure** — Scans for API keys, database URLs, and credentials that may have leaked into client-side code or public files.
• **Database Security** — Tests database connections for proper authentication and checks if data is properly protected.
• **Deployment Config** — Checks your deployment configuration for security headers, HTTPS enforcement, and proper settings.
• **Authentication** — Analyzes your auth implementation for weak passwords, session security, and common vulnerabilities.