replit-security-basics

# Replit Security Basics ## Overview Security best practices for Replit: Secrets (AES-256 encrypted env vars), REPL_IDENTITY token verification, Auth header trust model, public Repl exposure risks, and Secret Scanner protection. ## Prerequisites - Replit account with Workspace access - Understanding of environment variables - Deployed app (for Auth security) ## Instructions ### Step 1: Secrets Management Replit Secrets are AES-256 encrypted at rest with TLS in transit. Keys rotate regularly. Two scopes: ```markdown App-level secrets: Specific to one Repl (lock icon in sidebar) Account-level secrets: Apply across all your Repls (Account Settings > Secrets) ``` ```typescript // Validate all required secrets at startup — fail fast const REQUIRED = ['DATABASE_URL', 'JWT_SECRET', 'API_KEY']; const missing = REQUIRED.filter(k => !process.env[k]); if (missing.length) { console.error(`Missing secrets: ${missing.join(', ')}`); console.error('Add them in the Secrets tab (lock icon in sidebar)'); process.exit(1); } ``` **Secret Scanner**: Replit detects when you paste API keys into code files and warns you to store them as Secrets instead. Never dismiss this warning. ### Step 2: Public Repl Safety Replit Repls are **public by default** on free plans. Your source code is visible to anyone. ```python # CRITICAL: Never hardcode secrets in source files # BAD — visible to anyone who views your Repl API_KEY = "sk-live-abc123" # exposed! # GOOD — use Replit Secrets import os A...