Skip to content
Platform Guide

Bolt.new Security Checklist

Bolt.new generates React + Vite apps quickly and deploys them to Netlify or Stackblitz. Both platforms require you to configure security headers and environment handling manually. Here's what to check.

The Bolt.new security threat model

Bolt.new apps are typically React SPAs. Their risk profile is different from Next.js full-stack apps: there's no server-side rendering so all data fetching happens client-side, all API keys used in fetch calls are visible in the browser, and CORS is the only thing separating your backend from malicious callers.

  • API keys embedded directly in Vite VITE_ env vars are public — they appear in built JS
  • Backend APIs called from the client must implement CORS + rate limiting
  • Supabase anon key is always exposed — RLS is the only protection
  • No server middleware means no automatic auth checks on API routes

Bolt.new security checklist

✅ Environment Variables

  • Only VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY should be in the client
  • Never use VITE_OPENAI_API_KEY — proxy OpenAI calls through a backend function
  • Check your built output: grep -r "sk-proj\|sk_live\|OPENAI" dist/

✅ Supabase RLS (critical for Bolt apps)

  • Every table your app reads must have RLS enabled with explicit policies
  • Without RLS, anyone with your anon key (which is public) can read all your data
  • Test: paste your Supabase URL + anon key into the free RLS tester

✅ CORS Configuration

  • If you have a backend API, it must not respond to requests from * (any origin)
  • Set Access-Control-Allow-Origin to your specific Netlify/custom domain
  • CORS misconfiguration is the #1 vulnerability in SPA-style Bolt apps

✅ Security Headers (Netlify)

  • Create a netlify.toml with a [[headers]] block
  • Add CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
  • Netlify does not add any security headers by default

✅ Content Security Policy

  • A missing CSP is the primary enabler of XSS attacks in SPA apps
  • Start with default-src 'self' and add only the domains you actually use
  • Block inline scripts in production where possible

Quick scan your Bolt app

Vezraa scans your deployed Bolt.new app URL in 25 seconds — no repo access needed. It checks for exposed API keys in JS bundles, missing CORS headers, RLS issues, CSP, HSTS, and 90+ other security issues.

Scan your Bolt.new app in 25 seconds.

Scan My Bolt App →

Related guides

Bolt.new Security Checklist — Vezraa