FinishKitReplit
Cloud IDE with Agent that builds and deploys apps.
Replit Agent ships full apps end to end from prompts, hosted on Replit infrastructure. Strong mobile and educational usage.
What to check before shipping
Replit is good at getting a working demo fast. These are the production checks it typically skips.
Auth Check Only in Client Code
The auth gate runs only in a client component (useEffect redirect or conditional render), which an attacker bypasses by disabling JavaScript or hitting the API route directly.
IDOR Vulnerability on REST Endpoint
A REST endpoint returns resources by id without verifying the caller owns that resource. Any authenticated user can access any other user's data by changing the id in the URL.
Missing Row Level Security on Supabase Table
A public Supabase table has RLS disabled or has an overly permissive policy, meaning any authenticated user can read or modify every row regardless of ownership.
Secret API Key Exposed in Client Bundle
A sensitive credential (Stripe secret, OpenAI API key, Supabase service role key) is prefixed with NEXT_PUBLIC_, causing it to be inlined into the browser JavaScript bundle where anyone can read it.
For a deeper dive on production readiness specific to Replit, see the Replit vibe coding guide.
Audit your Replit app
Connect your repo and get a Finish Plan tailored to Replit output.
Start scan