Hey all, just spotted traffic on my Replit-hosted app:
/wordpress/wp-admin/setup-config.php
/wp-admin/setup-config.php
How are you all handling basic security on your projects?
Running React frontend and express backend, PWA setup.
Using anything to block bots or filter bad traffic? Keen to hear what others are doing.
do you have wordpress components on your app?
Not, not at all. These are likely bots looking for endpoints to exploit, I think Wordpress is easy to target.
that makes alot of sense, you might want to build an IP blocking script and just ban them
I’ve noticed a lot of bots will crawl my applications via the .replit.app domain.
I assume but have no proof that these bots crawl all the subdomains either looking for IP to exploit (or just the applications general functions) or at least a less nefarious endpoint probe to see what they can see.
I always put some sort of basic user authentication on any projects I care about to weed out the majority of these. Beware if you make any account sign up option, you will have to filter through hundreds of Gmail spam signups
This is common attack pattern. You’ll see also plenty of calls to .env, .env.bak etc…I protect those through Cloudflare, that’s why my first and biggest enhancement request from Replit is to give the possibility to disable the .replit.app url ( ie leave just the myapp.com url active )
@jaime73 Are you leaving orange cloud proxy on or using grey cloud no proxy on Cloudflare?
i deploy to my domains ( ie. mydomain.com ) which i protect in Cloudflare with their excellent rulesets. The problem is i have no power on the replit.app domain, so if someone knows the url he could directly attack it. I know from responses in other threads the Replit protect those ( ddos and owasp at least ), but it could be great when deploying to your own custom domain to disable access to the replit.app url for the app
+1 for that feature request as well. Would be huge in helping stop the spam
+1 for Replit to implement some more serious domain management tools.
Quick thought: has any one tried sticking a bit of code at line 1, to ensure that only our own domains work on the app? if $domain contains “replit” then exit;
Another thought: if Replit are going to get into offering lots of other paid tools (hosting, DB management, domain names, etc) then they need to bring the service levels way up to be on a par with the big cloud providers. And I daresay they will eventually, because these extras are where they are going to make a lot of money.
It’s a brand new beta feature. It’ll get there.
I asked agent for help and we have implemented this in my app’s index.ts script - put it very close to the top of the script. It works for me - essentially, it simply blocks the *.replit.app production version, but allows your own domain and the dev replit.dev version to work normally:
// Block replit.app domain entirely
app.use((req, res, next) => {
const host = req.get('Host') || '';
if (host.includes('replit.app')) {
return res.status(403).send('Domain access blocked');
}
next();
});
You should also consider putting your domain behind Cloudflare to get the benefits of its blocking of bots and other dodgy traffic.
+1 for Cloudflare. I had an situation where some crypto scam was filling out a users form they had posted on social media with hundreds of responses. I had to close the form to deal with it but the traffic was relentless. Cloudflare instantly helped cleaned that up. I put all my projects on cloudflare now for the basic protection. You need a paid plan for setting up more custom WAF and other rules but the free proxy service is fantastic too.
Free cloudflare is sufficient. All my domains are on it. Ensure the A name proxy is enabled. I don’t get any trouble from late night bot callers.