Replit app compliance checklist — what Replit Agent ships by default
Replit's Agent is the most full-stack of the vibe-coding tools. In one flow it provisions a database, sets up auth, configures secrets, and deploys to Replit's hosting. That breadth is the value — and it also means more compliance surface than apps built on tools that just hand you a frontend.
What Replit Agent ships by default
Replit Agent's default output varies more than Lovable or Bolt because the prompt drives stack choice — Python + Flask for one project, Node + Express for another, Next.js for another, sometimes static React for the simplest cases. The compliance trap with Replit is breadth: more surface to check, and Replit's hosting introduces quirks the others don't have.
The 7 things to check on a Replit app
1. Public Repls expose source code
By default, Repls on the free tier are public. Anyone can read your code, including any `.env` files committed by accident. This is the most Replit-specific issue and the easiest to miss. Either upgrade to a paid tier that allows private Repls, or migrate the code off Replit's hosting once you're past the prototype stage.
2. Replit DB and PostgreSQL access patterns
Replit Agent often wires up DB access without per-user row-level security. The app works fine — until two users sign up and one can read the other's data. Audit your queries and add the WHERE-clauses (or RLS policies) that scope each query to the requesting user.
3. Replit Auth vs Supabase vs custom
Replit Agent picks an auth approach based on prompt context — Replit Auth (built-in), Supabase Auth, or a custom JWT scheme. Each has different default policies. Audit which one was chosen and whether its default policies (token expiry, password rules, session handling) meet your needs. Replit Auth's defaults are reasonable; custom JWT defaults usually aren't.
4. Form labels and contrast
Same pattern as every other AI coding tool: placeholders instead of labels, low-contrast palettes, no focus indicators. WCAG 2.2 §1.3.1 + §1.4.3 + §2.4.7 violations. Real `<label>`s and accessible color palettes are the fix.
Related: ADA filings data and the most-cited WCAG rules →5. Tracking pixels before consent
Replit Agent will add GA4 or Plausible if your prompt mentions analytics. Same fix as Lovable / Bolt: gate behind consent state, or use cookie-less first-party analytics to avoid the ePrivacy trigger entirely.
Related: Is GDPR consent required for analytics? →6. Secrets in code vs Replit Secrets
Replit has a built-in Secrets manager — better than most platforms' defaults. But Replit Agent sometimes hardcodes API keys directly in code anyway, especially when the prompt context is short. Move every key, token, and connection string to Replit Secrets, then reference via `process.env` or `os.environ`.
7. Multi-language bundle scans
Replit apps mix Python and JavaScript more often than other platforms (Python backend + React frontend is a common pattern). License and copyleft scans need to cover both trees — `pipdeptree` for Python and `npm ls` / `pnpm list` for JS. AGPL contamination can hide in either side.
Related: AGPL in AI-built apps →How to fix all of these
Run Comply Code on your Replit-hosted URL or your custom domain — catches items 4, 5, and the JavaScript side of 7 automatically. Items 1, 2, 3, and 6 need a manual review of your Replit project settings and code. The fixes are mostly fast (minutes each) except auth/RLS, which can take 1–2 hours of careful audit.
Open the dedicated Replit scan flow →Common questions.
Is Replit's hosting compliant for HIPAA / PCI / SOC 2?
Replit's enterprise tier offers BAAs and SOC 2 Type II. The default tier doesn't. If you're building a healthcare or payments app on Replit, check your tier's compliance posture before you ship — the app's compliance is only as strong as the hosting underneath it.
Are public Repls actually a problem if I don't share the URL?
Yes — search engines and code-scraping bots crawl public Repls aggressively. Within a few days of creation, any committed secrets or PII can end up in public datasets. Make Repls private from day one, or migrate to dedicated hosting once you're past the prototype phase.
Does Replit Agent check any of this automatically?
No. Replit's checks are for runtime errors and dependency vulnerabilities, not compliance review. Accessibility, privacy, license, and IP review aren't part of the platform as of mid-2026.