Bolt.new Security Checklist
Bolt.new generates React + Vite apps quickly and deploys them to Netlify or Stackblitz. Both platforms require you to configure security headers and environment handling manually. Here's what to check.
The Bolt.new security threat model
Bolt.new apps are typically React SPAs. Their risk profile is different from Next.js full-stack apps: there's no server-side rendering so all data fetching happens client-side, all API keys used in fetch calls are visible in the browser, and CORS is the only thing separating your backend from malicious callers.
- API keys embedded directly in Vite
VITE_env vars are public — they appear in built JS - Backend APIs called from the client must implement CORS + rate limiting
- Supabase anon key is always exposed — RLS is the only protection
- No server middleware means no automatic auth checks on API routes
Bolt.new security checklist
✅ Environment Variables
- Only
VITE_SUPABASE_URLandVITE_SUPABASE_ANON_KEYshould be in the client - Never use
VITE_OPENAI_API_KEY— proxy OpenAI calls through a backend function - Check your built output:
grep -r "sk-proj\|sk_live\|OPENAI" dist/
✅ Supabase RLS (critical for Bolt apps)
- Every table your app reads must have RLS enabled with explicit policies
- Without RLS, anyone with your anon key (which is public) can read all your data
- Test: paste your Supabase URL + anon key into the free RLS tester
✅ CORS Configuration
- If you have a backend API, it must not respond to requests from
*(any origin) - Set
Access-Control-Allow-Originto your specific Netlify/custom domain - CORS misconfiguration is the #1 vulnerability in SPA-style Bolt apps
✅ Security Headers (Netlify)
- Create a
netlify.tomlwith a[[headers]]block - Add CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Netlify does not add any security headers by default
✅ Content Security Policy
- A missing CSP is the primary enabler of XSS attacks in SPA apps
- Start with
default-src 'self'and add only the domains you actually use - Block inline scripts in production where possible
Quick scan your Bolt app
Vezraa scans your deployed Bolt.new app URL in 25 seconds — no repo access needed. It checks for exposed API keys in JS bundles, missing CORS headers, RLS issues, CSP, HSTS, and 90+ other security issues.
Scan your Bolt.new app in 25 seconds.
Scan My Bolt App →