free · read-only · built on Replit

Is your Replit app leaking its secrets?

Replit hosts your app and its database together, and it's easy to expose a secret or leave a database open to the internet. Scan yours free.

https://

read-only · we fetch only what your visitors' browsers already download

What breaks on Replit apps

Replit makes the whole stack one click — app, secrets, and database in one place, which is exactly why a single misconfig can expose all three. What we check on Replit-hosted apps:

Secrets that leak into the client

Replit Secrets are meant for the server. When one gets referenced from client code, it ships to every visitor. We read your live bundle and flag server keys that escaped the backend.

Open databases (Replit DB / Postgres / Supabase)

A database reachable without auth is the classic vibe-coded hole. If you've wired Supabase or Firebase into your repl, we test whether the tables are readable by anyone with the public key.

Exposed files from a public repl

Public repls can serve a .env, a .git directory, or a database dump straight off the URL. We probe for them by real content so you can close the door before someone walks through it.