Security Scanner for Replit Apps

We scanned 194 Replit apps. 2.1% had critical vulnerabilities. Is yours secure?

Top issue: IDOR vulnerabilities leaking booking and health data

What we check on Replit apps

• Supabase RLS — extracts real table names from your JS bundle, tests each with the anon key
• API keys in bundles — OpenAI, Anthropic, Stripe, Google, AWS keys shipped client-side
• Authentication — IDOR, OAuth misconfig, session entropy, JWT weak secrets
• Infrastructure — exposed /.env, /.git, subdomain takeover, DNS issues
• AI code quality — hallucinated functions, unsafe eval(), hardcoded credentials
• 70+ total modules — nuclei CVE templates, XSS, CORS, CSP bypass, and more

Try it free

Paste your Replit app URL on our homepage for a quick 10-second scan. For the full 70-module audit, sign up — one free scan, no card.

Scan your Replit app free →

Research

• Lovable vs Bolt vs Replit: per-platform RLS breakdown
• Beyond Supabase RLS: 5 other critical vulnerabilities
• Q2 2026 State of Vibe-Coded Security report