← Back to blog
BOLT

Bolt.new Security Checklist: 10 Things to Check Before You Deploy

by Birol · April 8, 2026 · 6 min read

Bolt builds apps in 10 minutes. Zero of those minutes go toward security. Here are 10 things to fix before real users show up.

The Checklist

1. Is your .env file gitignored?

Bolt generates a .env file and sometimes commits it. Check immediately. (See our detailed .env guide for the full breakdown.)

cat .gitignore | grep .env
# If nothing shows up:
echo ".env" >> .gitignore
echo ".env.local" >> .gitignore

2. Are there hardcoded secrets in your source?

Search your codebase. You'll be surprised how often Bolt drops keys directly into files. (More on this in our API key leak guide.)

grep -rE "sk_live|sk_test|AKIA|sk-|password=" src/
# If you find anything, move it to environment variables
# and rotate the key immediately.

3. Do your API routes require authentication?

Hit every API endpoint without a token. If you get data back, you have a problem.

curl https://yourapp.com/api/users
curl https://yourapp.com/api/admin/settings
# Both should return 401 Unauthorized, not data.

# Fix: Add middleware to every route
export function middleware(request: NextRequest) {
  const token = request.headers.get('authorization')
  if (!token) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}

4. Is CORS wide open?

Bolt often sets CORS to allow everything. That means any website can make requests to your API on behalf of your users.

// BAD: allows any origin
app.use(cors({ origin: '*' }))

// GOOD: restrict to your domain
app.use(cors({ origin: 'https://yourapp.com', credentials: true }))

5. Do you have CSP headers?

Without Content Security Policy, an XSS vulnerability becomes a full takeover. Add these headers to your response.

// next.config.js or middleware
const headers = {
  'Content-Security-Policy': "default-src 'self'; script-src 'self'",
  'X-Content-Type-Options': 'nosniff',
  'X-Frame-Options': 'DENY',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
}

That's 5 down, 5 to go. Or skip the rest — vibeAudit checks all 10 (plus 25 more) in 30 seconds. Free.

6. Are database permissions locked down?

If you're using Supabase, check that RLS is enabled — see our full RLS guide. If you're using raw Postgres, make sure your app connects with a limited-privilege user, not the superuser.

-- Check RLS status
SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public';
-- Every table should show rowsecurity = true

7. Is SSL enforced?

If your app loads over HTTP at all, cookies and tokens are transmitted in plaintext. Force HTTPS everywhere.

// Redirect HTTP to HTTPS in middleware
if (request.headers.get('x-forwarded-proto') !== 'https') {
  return NextResponse.redirect(`https://${request.headers.get('host')}${request.nextUrl.pathname}`)
}

8. Do error messages leak stack traces?

In production, a stack trace tells an attacker your framework, your file structure, and sometimes your query logic. Never send raw errors to the client.

// BAD
catch (error) { return Response.json({ error: error.stack }) }

// GOOD
catch (error) {
  console.error(error)  // log server-side only
  return Response.json({ error: 'Internal server error' }, { status: 500 })
}

9. Is there rate limiting?

Without rate limiting, an attacker can brute-force your login, spam your API, or rack up your cloud bill. Add basic limiting at minimum.

// Using upstash/ratelimit (works on serverless)
import { Ratelimit } from '@upstash/ratelimit'
import { Redis } from '@upstash/redis'

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(10, '60 s'),  // 10 requests per minute
})

10. Is file upload validation in place?

If your app accepts file uploads, check that you validate file type, size, and content. An unrestricted upload endpoint is an easy backdoor.

// Validate uploads server-side
const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp']
const MAX_SIZE = 5 * 1024 * 1024  // 5MB

if (!ALLOWED_TYPES.includes(file.type)) return Response.json({ error: 'Invalid file type' }, { status: 400 })
if (file.size > MAX_SIZE) return Response.json({ error: 'File too large' }, { status: 400 })

FAQ

Q: Is Bolt.new secure by default?

No. Bolt builds functional apps fast but skips security defaults like RLS, auth middleware, security headers, and rate limiting.

Q: How many security checks should I do before deploying?

At minimum, check these 10 items. Or use an automated scanner to cover all of them in 30 seconds.

You built it in 10 minutes. Spend 30 seconds checking if it's safe. Paste your URL into vibeAudit — all 10 checks automated, free. Read-only scan, your app is never modified.

Is your app vulnerable?

Scan your app for free — read-only, no signup, ~30 seconds. vibeAudit runs the tests this post describes.

Scan your app free