Is your Replit app leaking its secrets?
Replit hosts your app and its database together, and it's easy to expose a secret or leave a database open to the internet. Scan yours free.
read-only · we fetch only what your visitors' browsers already download
What breaks on Replit apps
Replit makes the whole stack one click — app, secrets, and database in one place, which is exactly why a single misconfig can expose all three. What we check on Replit-hosted apps:
Secrets that leak into the client
Replit Secrets are meant for the server. When one gets referenced from client code, it ships to every visitor. We read your live bundle and flag server keys that escaped the backend.
Open databases (Replit DB / Postgres / Supabase)
A database reachable without auth is the classic vibe-coded hole. If you've wired Supabase or Firebase into your repl, we test whether the tables are readable by anyone with the public key.
Exposed files from a public repl
Public repls can serve a .env, a .git directory, or a database dump straight off the URL. We probe for them by real content so you can close the door before someone walks through it.
Built with something else?
The Supabase database Lovable ships with is open until you turn on RLS.
Bolt can bake a server API key straight into your public bundle.
A NEXT_PUBLIC_ env var or a stray source map leaks more than you think.
AI-written auth often trusts the client. We test what's actually readable.