Replit: The Safest Place for Vibe Coding
We’re beefing up security. We’re launching the world’s best vibe coding history feature. And for those of you bringing Replit to work, we’re improving our Enterprise readiness.
Vibe coding makes software creation accessible to everyone, entirely through natural language. Whether it’s personal software for yourself and family, a new business coming to life, or internal tools at your workplace, Replit is the best place for anybody to build.
AI coding is powerful but can be nerve wracking if you're building something for the first time. Is my user information safe? Is my API key exposed? Will my app be vulnerable to attackers? Maybe you didn't even know you had to consider these things to begin with! These challenges can lead users to stumble into vibe coding tragedies. They put too much burden on users to utilize external services, track their own history, or validate the security of their code. We hate hearing stories of users on other platforms who lost months of work, accidentally exposed secret API keys, or even exposed user data.
At Replit, we’ve always strived to take these burdens off of users, do the right things by default, and offer the best all-in-one software creation platform. As the leader in the space, we previously integrated essential safe vibe coding features like cloud based sandbox environments, Private Deployments, DDoS protection, and SSO/SAML.
Today, we’re doubling down on making vibe coding safe, so you can create with confidence.
Even better security: built-in safeguards by default
Replit Auth is now standard
Last week we announced Replit Auth. It’s an Enterprise grade secure login system for your app. By leveraging Replit’s existing identity system you get the benefit of:
- Firebase for the core user authentication
- Email verification for all users
- reCAPTCHA for bot protection
- Stytch device fingerprinting for fraud protection
- HackerOne for bug bounty programs and pen testing
- Clearout for email validation
- and more
That’s why today we are making Replit Auth the default authentication provider for apps built on Replit.
Instead of making you integrate an external service, or attempt to roll your own, Replit Auth can be added in without additional prompts.
You can still prompt Replit Agent to integrate third party authentication services if you like. But by default, you’ll get Replit Auth for better security and ease of use without additional prompts.
Scan, find, and fix security issues
(early access preview feature)
One of the hardest parts of building software is ensuring the application is secure. There is an entire industry dedicated to finding and removing software security vulnerabilities. While we guide our Replit Agent to use secure frameworks and write code in a secure manner, it’s good practice to take extra measures and scan code before deploying, especially for business applications.
That’s why today we are launching pre-deployments security scanning, powered by our partner Semgrep. You’ll now have the option to run a pre-deployments security scan any time you deploy your app on Replit.
We not only scan for vulnerabilities, we fix them. You can review the list of warnings, and click “Fix with Agent” to have Replit Agent address any issues you want repaired. For simpler fixes like dependency updates, you can save a checkpoint and choose “Update automatically”.
Protect essential system files
Perhaps the scariest failure mode we see in vibe coding, is when AI accidentally erases git history, backup data, or other key files that can’t be recovered once gone. It can be devastating to lose months of work to these types of mistakes.
That’s why on Replit, we sandbox our Agent at the operating system level. Unlike other platforms who simply add statements to system prompts, we block the Agent deterministically from editing key files. Key files like the git history, .replit configuration file, and Agent state files, cannot be modified by the Replit Agent.
Because sandboxing is done at the process level, advanced users will still be able to modify files using git tools or the Shell. Only the Agent will be blocked, which prevents any AI non-determinism from making critical mistakes.
Keep keys secure with prompt scanning
A common mistake for new coders is to put secret API keys in publicly accessible places like source code. While vibe coding doesn’t typically involve writing code, we’ve seen users accidentally pasting keys into prompts that get saved to session history. This makes keys more visible than they should be.
So now, if you attempt to paste an API key into the prompt, we’ll instead redirect you to use our secure Secrets tool to manage them. One less thing to worry about.
Time travel through App History with confidence
Introducing App History
One of the best techniques to use in vibe coding is the “rollback”. Sometimes AI misinterprets requests or goes in a direction you may not like. That’s why Replit has always offered the ability to roll back to prior checkpoints. We encourage you to go back and try again. The underlying technology uses git, which we handle for you.
However, we didn’t make it easy to see all the possible versions you could roll back to. That’s why we’ve entirely rebuilt the user experience as App History.
You now have one easy place to see all the versions of your app, including ones you’ve deployed, across all your Agent sessions. It’s a much cleaner view of all the work you’ve done on your app.
When you choose to rollback, you’ll now also get a more clear explanation and choice of what to roll back:
- You can see a screenshot of what the app looked like at the time
- You can optionally roll back the state of the database to the same point in time
- If the checkpoint happened in the past 7 days, you can preview and use the application at that state before rolling back
If you don’t like where you rolled back to, don’t worry. You can also move forward in history to get back to where you were. That even includes the state of the database.
Rollback previews
As part of the new history view, you can run and preview prior versions of your application. We store runnable snapshots of the app at each checkpoint for the last 7 days of history. Well developed apps can have many checkpoints, and this will help you find just the right version to go back to.
The snapshots contain both the code at the time of the checkpoint, and a snapshot of the database. So your history won’t be broken by changes in the structure of the database. And the app snapshot is writable, so you can interact with it like any other application without changing your main database. It also uses the built version of the application, similar to a deployment, to help it run faster.
Just browse the history, click the preview link, and the app snapshot will load. Simple as that.
Coming soon: dev/prod separation for databases
In the next few weeks, we will make a significant change to how databases work on Replit. Today, the development version of your app and the deployed version of your app use the same underlying database. In many cases, especially early in a project’s lifecycle, this can be convenient. But as you get more advanced, it makes sense to have a database for your live data, and a space for your upcoming innovations.
In the coming weeks, we will launch the ability for each app to have two databases: one for development, and one for production. This is good for app stability, and it will also allow users to use our advanced database history features in development without impacting production.
Enterprise-ready: vibe coding for professionals
Enhanced security controls
More and more, Replit is being used in enterprises to decentralize software innovation and help people be more productive. Ideas are no longer limited by bandwidth on the engineering roadmap. We’re taking our Teams and Enterprise features even further today.
First, we’re bringing the technology behind our Private Deployments to the preview links used during development. While these URLs are hard to guess and hidden from search engines, we wanted to give Teams and Enterprise users extra assurances and protect them behind Replit login. That includes SSO/SAML for our Enterprise users.
Second, we’re giving organization administrators more power over privacy features. On the Replit Enterprise plan, administrators can now require the use of Private Deployments and Private Dev URLs across the organization. Administrators will also be able to restrict other features such as making app source code public or downloading the source code. Upgrade to Replit Enterprise to take advantage of these controls.
Share internal apps securely with viewer seats
With more privacy controls over who can see deployed apps, one common worry is limiting the audience of who can take advantage of new internal apps built with Replit. That’s why we’ve built viewer seats. You can now add members to your organization with the “viewer” role. These users will be able to see deployed apps shared with them, but won’t require a full editor license like users who are building applications.
Replit Teams plans will come with 50 viewer seats included, at no extra cost. This will help you share all those great new internal tools with your organization. Spread the productivity gains more widely, starting today.
If your organization needs more viewer seats than 50, reach out to our Sales team and they can help get you onto an Enterprise plan.
SCIM support is now available
Starting today, you can manage Replit invites using SCIM. SCIM stands for System for Cross-domain Identity Management, and supporting it in Replit helps your IT team easily onboard and offboard team members to their Replit accounts. This is typically done with a tool like Okta. If you’re on the Replit Enterprise plan, reach out to your Sales partner to get set up with SCIM now.
SCIM is also a great way to take advantage of your new viewer seats and onboard more of the company to Replit.
Conclusion
Replit was already the safest place for vibe coding, with features including cloud based sandbox environments, Private Deployments, DDoS protection, and SSO/SAML. Today, we’ve taken it even further, to push the industry forward and ensure that not just anyone can create software, but that they can do so safely.
In the coming weeks, we’ll post more technical details on how we built these features, for those of you curious to learn more.
If you are interested in bringing Replit to your enterprise, book a demo with our Sales team today.
