Is Replit safe?
Is a Replit app safe to ship?
Replit Agent can scaffold, install packages, and run database migrations without you leaving the browser. Two things are worth checking before real users show up: who can see your source, and whether your database is locked down.
What Replit actually does well
Full dev environment and deploy pipeline in the browser, nothing to install locally.
Replit Agent can install dependencies and run migrations on its own, which speeds up early iteration a lot.
One-click deploys make it easy to get something live fast, which is the whole point.
The gap
The gap: public Repl visibility and RLS-off databases
Every Repl has a visibility setting, Public or Private, and it is easy to leave a project on Public while iterating, which means anyone can view your source tree, including a .env file if one was ever committed to it. Separately, if Replit Agent wires up Supabase or a Postgres database for you, the same row-level security default applies as with any other AI builder: tables ship open unless a policy says otherwise.
Check Replit for this yourself right now
Two checks, about 60 seconds combined.
- 01
Open your Repl's settings and confirm the visibility is set to Private, not Public, especially if it has ever held a real API key.
- 02
If your app uses Supabase, open devtools Network tab on the live app, find the supabase.co request, and copy the apikey header.
- 03
Run: curl "https://<your-project>.supabase.co/rest/v1/<table-name>?select=*&limit=1" -H "apikey: <anon-key>" and check whether rows come back with no login.
- 04
If rows come back, RLS is not enforced on that table and it is readable by anyone holding the key.
Rather not do this by hand? The free Leak Check runs the anon-key probe and a client bundle scan against your live URL and gives you results in under a minute.
Run the free Leak Check →Where the numbers come from
We scanned 66 live apps built with Lovable, Bolt, Cursor, base44, and Tempo. 41% of the Supabase-backed apps had at least one table anyone could read with the public anon key. The full methodology and findings are in the data report.
Read the data report →