Implement Replit lint rules, policy enforcement, and automated guardrails.
Use when setting up code quality rules for Replit integrations, implementing
pre-commit hooks, or configuring CI policy checks for Replit best practices.
Trigger with phrases like "replit policy", "replit lint",
"replit guardrails", "replit best practices check", "replit eslint".
Policy enforcement for Replit-hosted applications. Replit's public-by-default Repls, shared hosting, and resource limits require specific guardrails around secrets exposure, resource consumption, deployment security, and endpoint protection.
Prerequisites
Replit account with Deployment access
Understanding of Replit's security model
Awareness of Replit's Terms of Service
Instructions
Step 1: Secrets Exposure Prevention
Replit Repls are public by default on free plans. Source code is visible to anyone.
# CRITICAL POLICY: Never hardcode secrets in source files
# BAD — visible to anyone viewing your Repl
API_KEY = "sk-live-abc123"
DB_PASSWORD = "p@ssw0rd"
# GOOD — use Replit Secrets (AES-256 encrypted)
import os
API_KEY = os.environ.get("API_KEY")
if not API_KEY:
raise RuntimeError("API_KEY not set. Add it in the Secrets tab (lock icon).")
# Startup validation — fail fast if secrets missing
REQUIRED_SECRETS = ["API_KEY", "DATABASE_URL", "JWT_SECRET"]
missing = [s for s in REQUIRED_SECRETS if not os.environ.get(s)]
if missing:
raise RuntimeError(f"Missing required secrets: {missing}")
// Protect all data endpoints with authentication
import { Request, Response, NextFunction } from 'express';
function requireAuth(req: Request, res: Response, next: NextFunction) {
const userId = req.headers['x-replit-user-id'];
if (!userId) {
return res.status(401).json({ error: 'Authentication required' });
}
next();
}
// Apply to all API routes
app.use('/api', requireAuth);
// Admin-only routes: check specific user IDs or roles
function requireAdmin(req: Request, res: Response, next: NextFunction) {
const userId = req.headers['x-replit-user-id'] as string;
const adminIds = (process.env.ADMIN_USER_IDS || '').split(',');
if (!adminIds.includes(userId)) {
return res.status(403).json({ error: 'Admin access required' });
}
next();
}
app.use('/admin', requireAuth, requireAdmin);
Step 4: Deployment Visibility Controls
// Validate deployment configuration at startup
function validateDeploymentSecurity() {
const warnings: string[] = [];
// Check if running as Deployment vs Repl
if (!process.env.REPL_DEPLOYMENT && process.env.NODE_ENV === 'production') {
warnings.push('WARNING: Production NODE_ENV but not a Deployment. Container may sleep.');
}
// Check debug mode
if (process.env.DEBUG && process.env.NODE_ENV === 'production') {
warnings.push('WARNING: DEBUG enabled in production');
}
// Check CORS
if (process.env.CORS_ORIGIN === '*' && process.env.NODE_ENV === 'production') {
warnings.push('WARNING: CORS allows all origins in production');
}
if (warnings.length) {
warnings.forEach(w => console.warn(w));
}
return { secure: warnings.length === 0, warnings };
}
// Run at startup
const security = validateDeploymentSecurity();
if (!security.secure) {
console.warn('Security warnings detected. Review before production deployment.');
}
Step 5: Security Audit Checklist
## Replit Security Audit
### Secrets (Critical)
- [ ] No API keys in source code
- [ ] All secrets in Replit Secrets tab
- [ ] Startup validates required secrets
- [ ] Secret Scanner warnings addressed
### Access Control
- [ ] All data endpoints require authentication
- [ ] Admin routes have role-based access
- [ ] Rate limiting on public endpoints
- [ ] CORS configured for specific origins
### Data Protection
- [ ] Parameterized SQL queries (no string concatenation)
- [ ] Input validation on all user data
- [ ] Error responses don't expose internals
- [ ] Logs don't contain PII or secrets
### Deployment
- [ ] Production uses Deployments (not Repl "Run")
- [ ] NODE_ENV set to "production"
- [ ] Health endpoint doesn't expose secrets
- [ ] Custom domain has SSL (auto-provisioned)
### Resources
- [ ] Memory limits appropriate for tier
- [ ] Request size limits configured
- [ ] Per-request timeout enforced
- [ ] Payload size validation