Secrets in the client bundle
Stripe keys, OpenAI keys, and database credentials placed in front-end code are readable by anyone. We scan your bundle for the common key formats (sk_live, AKIA, AIza, and more).
// Bolt.new security
Bolt.new builds full-stack apps in the browser at impressive speed. Speed is also how secrets end up in the client bundle and how auth checks get skipped on the server.
Scan your Bolt.new app now — free, ~60 seconds, no signup.
Bolt.new (by StackBlitz) generates a complete front-end and backend, often wired to Supabase or a serverless database. Like every AI builder, it optimises for a working demo — not for the security boundary between what's safe to expose and what isn't.
The two recurring issues: API keys and tokens baked into client-side code where anyone can read them, and endpoints that trust the front-end instead of re-checking authentication and authorisation on the server.
Client-side
is where AI builders tend to place secrets by default
Common pattern across vibe-coded apps
11%
of vibe-coded apps leak a usable backend key
SupaExplorer, 20,000 URLs scanned
2,000+
critical vulns across 5,600+ AI-built apps audited
Escape.tech
Stripe keys, OpenAI keys, and database credentials placed in front-end code are readable by anyone. We scan your bundle for the common key formats (sk_live, AKIA, AIza, and more).
If the only thing guarding an action is the UI, attackers call the API directly. We look for unauthenticated, state-changing endpoints.
Bolt apps usually have a backend. If that backend's RLS or rules are off, the front-end key reads everything — see our Supabase and Firebase pages.
Deployed Bolt apps frequently lack CSP, HSTS, and clickjacking protection, leaving room for XSS and framing attacks.
Bolt.new produces working apps quickly, but security is on you. The common gaps are secrets in the client bundle and missing server-side authorisation. Both are findable in a quick scan.
Unless you move them to server-side environment variables, keys can end up in the client bundle where anyone can read them. Treat any key prefixed for a third-party service as exposed until you've verified otherwise.
Paste your app URL into bleek's free scan. We'll flag exposed secrets, open backends, and missing headers, with a fix for each.
Free scan, real findings, a copy-paste fix for each one. No signup.