My deployed app is returning 403 Forbidden errors—how do I fix it?
My deployed app is returning 403 Forbidden errors—how do I fix it?
A 403 on a deployed app usually comes from one of these:
- Oversized request headers—too many cookies can make headers large enough to be rejected at the edge. Clear your browser cookies for the domain and test again.
- Missing authentication—the request doesn’t include a required login token or session.
- An access restriction—your app may be configured to block some traffic. See private deployments and external access tokens.
My app shows "Application failed to respond"—what does that mean?
My app shows "Application failed to respond"—what does that mean?
Your app process isn’t listening on the port Replit expects. Replit passes the correct port through the Your app may also have crashed before binding—check your deployment logs for startup errors. With Autoscale deployments, the first request after a quiet period can take a few seconds (a cold start), which is normal.
PORT environment variable, so bind to it instead of a hard-coded value:How do I fix CORS errors in my deployed Replit app?
How do I fix CORS errors in my deployed Replit app?
A CORS error means your frontend and backend are on different origins and the backend hasn’t been set up to allow that. If they’re part of the same app, use relative URLs like Allow only the specific origins you need before deploying. See Troubleshooting deployments.
/api/endpoint to avoid CORS entirely.Otherwise, configure your backend to allow your frontend’s origin. For Express, for example:My app works locally but returns network errors when deployed
My app works locally but returns network errors when deployed
Deployed apps fail when the production environment differs from your local setup. Check three things:
- Hard-coded localhost URLs—replace
localhost:3000or127.0.0.1with relative paths or environment-based URLs, then redeploy. - Missing production secrets—confirm every required key is set in your deployment secrets. See Secrets.
- Migrations not run in production—run pending migrations against the production database before deploying.
How do I debug a 502 Bad Gateway error on my deployed app?
How do I debug a 502 Bad Gateway error on my deployed app?
A 502 usually means your app process crashed or returned output the server couldn’t use. Check your deployment logs for crash errors just before the 502s appear—unhandled promise rejections and uncaught exceptions can crash a Node.js process silently.Add a handler to surface crashes:Once you can see the underlying error in your logs, paste it into a new Agent chat for help fixing it.
My app can't make requests to external APIs—what should I check?
My app can't make requests to external APIs—what should I check?
First confirm whether the request is being blocked rather than failing in your code. Open your deployment logs and look for messages about blocked or redirected outbound requests.Common causes and fixes:
- Self-referencing URLs—if your backend calls its own public URL (such as
fetch("https://myapp.replit.app/api/...")), use a relative path likefetch("/api/...")instead. - Requests during the build phase—make outbound calls at runtime, not during the build.
- Network restrictions—on a corporate or school network, outbound connections may be blocked; check with your network admin.
My app URL changed after I republished—can I get my old subdomain back?
My app URL changed after I republished—can I get my old subdomain back?
The
.replit.app subdomain is derived from your project name and isn’t guaranteed to stay the same when you unpublish and republish, especially if the project was renamed.The permanent fix is a custom domain, which stays the same across redeployments. To try to restore the old subdomain, make sure your project name matches the original (rename it back if needed) and republish—Replit can’t manually reassign a released subdomain. See Publishing geography.