// Bolt.new security

Did Bolt ship your secrets to the browser? check free.

Bolt.new builds full-stack apps in the browser at impressive speed. Speed is also how secrets end up in the client bundle and how auth checks get skipped on the server.

Scan your Bolt.new app now — free, ~60 seconds, no signup.

Bolt.new (by StackBlitz) generates a complete front-end and backend, often wired to Supabase or a serverless database. Like every AI builder, it optimises for a working demo — not for the security boundary between what's safe to expose and what isn't.

The two recurring issues: API keys and tokens baked into client-side code where anyone can read them, and endpoints that trust the front-end instead of re-checking authentication and authorisation on the server.

Client-side

is where AI builders tend to place secrets by default

Common pattern across vibe-coded apps

11%

of vibe-coded apps leak a usable backend key

SupaExplorer, 20,000 URLs scanned

2,000+

critical vulns across 5,600+ AI-built apps audited

Escape.tech

What goes wrong on Bolt.new

Secrets in the client bundle

Stripe keys, OpenAI keys, and database credentials placed in front-end code are readable by anyone. We scan your bundle for the common key formats (sk_live, AKIA, AIza, and more).

Missing server-side auth

If the only thing guarding an action is the UI, attackers call the API directly. We look for unauthenticated, state-changing endpoints.

Backend left open (Supabase/Firebase)

Bolt apps usually have a backend. If that backend's RLS or rules are off, the front-end key reads everything — see our Supabase and Firebase pages.

Missing security headers

Deployed Bolt apps frequently lack CSP, HSTS, and clickjacking protection, leaving room for XSS and framing attacks.

Your Bolt.new security checklist

  • No API keys or tokens in client-side code
  • Server re-checks auth on every protected action
  • Backend (Supabase/Firebase) has RLS or rules locked down
  • Security headers set on the deployed app
  • Dependencies free of known CVEs
  • No source maps leaking original code in production

Bolt.new security FAQ

Is Bolt.new secure?

Bolt.new produces working apps quickly, but security is on you. The common gaps are secrets in the client bundle and missing server-side authorisation. Both are findable in a quick scan.

Where does Bolt put my API keys?

Unless you move them to server-side environment variables, keys can end up in the client bundle where anyone can read them. Treat any key prefixed for a third-party service as exposed until you've verified otherwise.

How do I check my Bolt app?

Paste your app URL into bleek's free scan. We'll flag exposed secrets, open backends, and missing headers, with a fix for each.

Find your Bolt.new app's leaks now.

Free scan, real findings, a copy-paste fix for each one. No signup.