Skip to main content
This guide provides a comprehensive security checklist to ensure your vibe coded applications follow best security practices. While Replit provides many security features out of the box, itโ€™s important to understand and implement more security measures for your specific application needs.

โ€‹
Prerequisites

  • A Replit account
  • Basic understanding of your preferred programming language
  • Familiarity with the Project Editor
  • An application youโ€™re building on Replit

โ€‹
Front-end security

Replit uses HTTPS by default for all applications. So you donโ€™t need to worry about it!
Always validate and sanitize user input to prevent cross-site scripting (XSS) attacks:
// Bad: Direct use of user input
element.innerHTML = userInput;

// Good: Sanitize input before using
import { sanitize } from 'some-sanitizer-library';
element.innerHTML = sanitize(userInput);
Switch to Lite mode and ask Agent:
Help me validate and sanitize inputs to protect against XSS attacks
You should use Replit Secrets to store sensitive information like API keys.Be sure you donโ€™t pass secrets to the client side or put them in the following places:
  • Local storage
  • Session storage
  • Client-side JavaScript
  • Cookies without proper security attributes
Switch to Lite mode and ask Agent:
Help me keep sensitive data out of the browser. Am I doing this correctly?
Implement Cross-Site Request Forgery (CSRF) protection for forms:
// Example of CSRF token implementation
const csrfToken = generateToken();
session.csrfToken = csrfToken;
Switch to Lite mode and ask Agent:
Help me implement CSRF tokens for forms

โ€‹
Back-end security

When implementing authentication:
  • Use Replit Auth when possible
  • If building custom auth, use established libraries
  • Never store plain text passwords
Ask Agent:
Help me implement authentication for my application with Replit Auth
Always verify permissions before performing actions:
// Example authorization check
if (!user.canAccess(resource)) {
  return res.status(403).send('Access denied');
}
Ask Agent:
Help me implement authorization checks for my application
Secure your API endpoints:
  • Add authentication to sensitive endpoints
  • Implement proper CORS settings
  • Consider rate limiting
Switch to Lite mode and ask Agent:
How do I properly authenticate endpoints in my app?
Agent uses ORMs by default, which helps prevent SQL injection. If writing custom database queries:
// Bad: String concatenation in queries
db.query(`SELECT * FROM users WHERE username = '${username}'`);

// Good: Parameterized queries with ORM
db.query('SELECT * FROM users WHERE username = ?', [username]);
Add important security headers to your application:
<!-- In index.html or through your back-end -->
<meta http-equiv="X-Frame-Options" content="DENY">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
You can scan your site at securityheaders.com for recommendations.Switch to Lite mode and ask Agent:
Can you add the security headers to my application?

โ€‹
Ongoing security practices

Regularly check for outdated packages that might have vulnerabilities:
npm audit
Donโ€™t expose sensitive information in error messages:
// Bad: Exposing sensitive details
catch (err) {
  res.status(500).send(`Database error: ${err.message}`);
}

// Good: Generic error message
catch (err) {
  console.error(err); // Log internally
  res.status(500).send('An error occurred');
}
Ask Agent:
Help me implement proper error handling for my application
When using cookies:
  • Set HttpOnly flag to prevent JavaScript access
  • Use Secure attribute to require HTTPS
  • Implement SameSite attribute to prevent CSRF
Ask Agent:
Help me secure my cookies for my application
If your application allows file uploads:
  • Restrict file types and sizes
  • Scan for malware if possible
  • Store files in Replitโ€™s object storage
  • Generate new filenames rather than using user-provided ones
Ask Agent:
Help me secure my file uploads for my application
Implement rate limiting for API endpoints, especially authentication-related ones:
// Example rate limiting middleware
const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});

app.use('/api/', limiter);
Ask Agent:
Help me implement rate limiting for my application

โ€‹
Checklist

Hereโ€™s the above in a checklist to help you stay on top of your security practices.

โ€‹
Front-end security

Security MeasureDescription
โ˜Use HTTPS everywherePrevents basic eavesdropping and man-in-the-middle attacks
โ˜Input validation and sanitizationPrevents XSS attacks by validating all user inputs
โ˜Donโ€™t store sensitive data in the browserNo secrets in local storage or client-side code
โ˜CSRF protectionImplement anti-CSRF tokens for forms and state-changing requests
โ˜Never expose API keys in frontendAPI credentials should always remain server-side

โ€‹
Back-end security

Security MeasureDescription
โ˜Authentication fundamentalsUse established libraries, proper password storage (hashing+salting)
โ˜Authorization checksAlways verify permissions before performing actions
โ˜API endpoint protectionImplement proper authentication for every API endpoint
โ˜SQL injection preventionUse parameterized queries or ORMs, never raw SQL with user input
โ˜Basic security headersImplement X-Frame-Options, X-Content-Type-Options, and HSTS
โ˜DDoS protectionUse a CDN or cloud service with built-in DDoS mitigation capabilities

โ€‹
Practical security habits

Security MeasureDescription
โ˜Keep dependencies updatedMost vulnerabilities come from outdated libraries
โ˜Proper error handlingDonโ€™t expose sensitive details in error messages
โ˜Secure cookiesSet HttpOnly, Secure and SameSite attributes
โ˜File upload securityValidate file types, sizes, and scan for malicious content
โ˜Rate limitingImplement on all API endpoints, especially authentication-related ones