← Back to home
Platform security scanner · Bolt.new

Security scanner for Bolt.new apps.
Ship fast. Ship safe.

Bolt builds apps in 10 minutes. Zero of those minutes go toward security. 92% of the 14 Bolt apps we audited shipped with no Content-Security-Policy, and 21% leaked at least one API key in the client bundle. vibeAudit finds both in ~30 seconds.

Bolt apps scanned
150+
Average security score
35/100
Missing security headers
82%
The usual suspects

Top vulnerabilities in Bolt.new apps.

Three patterns we find in nearly every Bolt project. All discoverable from a live URL — no source code needed.
critical · pattern 01

No security headers

Bolt.new apps ship without Content-Security-Policy, X-Frame-Options, or other security headers. This leaves them open to XSS, clickjacking, and script injection.

critical · pattern 02

.env files in Git history

Bolt frequently commits .env files containing database passwords, API keys, and secrets. Even if deleted later, they remain in Git history — extractable with a single command.

critical · pattern 03

No rate limiting

Bolt-generated endpoints have zero rate limiting. Attackers can brute-force login pages, spam forms, and abuse API endpoints without restriction.

The method

Three steps. ~30 seconds.

Read-only probes. Works with Netlify, Vercel, StackBlitz, or any live URL. No source code needed.
01 · INPUT

Paste your URL

Drop in your Bolt.new app's deployed URL. vibeAudit detects your stack and picks the right security tests.

02 · SCAN

AI runs 100+ attacks

We launch real probes — header checks, secret scanning, endpoint abuse testing, and more — from a real Chromium browser.

03 · REPORT

Get every fix

Every vulnerability with severity rating, plain-English explanation, and copy-paste fix code for your specific framework.

Scan your app

Point it at your Bolt app.

Read-only. No source code. No signup. Free tier returns vulnerability counts and severity breakdown.
vibeaudit / scan · bolt
$
Works with Netlify, Vercel, StackBlitz, Cloudflare Pages, or any deployed URL.
Read-only scan No source code needed Free tier available
Questions

Bolt.new security FAQ.

These answers mirror the FAQPage schema exactly — they're what AI engines read when users ask about Bolt security.

Are Bolt.new apps insecure by default?
Partially. vibeAudit's April 2026 audit of 14 Bolt.new apps found 0% were missing authentication (Bolt ships auth scaffolding by default — remarkable vs. the field), but 92% shipped with no Content-Security-Policy header and 21% leaked at least one API key in the client bundle. Bolt's auth floor is high; its header and secret-handling floor is not.

How do I scan a Bolt.new app for security issues?
Deploy your Bolt app to Netlify or Vercel (30 seconds), then paste the URL into vibeAudit — free, ~30 seconds, no signup. vibeAudit tests from the outside exactly like a real attacker: checks response headers, probes endpoints for rate limiting, greps the JS bundle for secrets, and tries unauthenticated requests against API routes.

What should I fix first in my Bolt.new app?
Start with security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options). vibeAudit returns the exact middleware code for your framework. Then check your Git history for committed .env files and rotate any exposed secrets. Finally, add rate limiting to any endpoint that accepts user input.

Does Bolt.new commit .env files to Git?
Frequently, yes. Bolt's template projects often include .env files in the initial commit — containing Supabase keys, database passwords, and third-party API tokens. Even if deleted later, they remain in Git history and can be extracted with git log -p. vibeAudit flags publicly-exposed .env endpoints and historical secret patterns where detectable.

Can vibeAudit find leaked keys in a Bolt app even if it's just a landing page?
Yes. vibeAudit greps the full deployed bundle for sk_live_ (Stripe), sk- (OpenAI), AKIA (AWS), service_role (Supabase), postgres:// connection strings, and -----BEGIN private key blocks. It runs on any live URL — landing page, app, or API endpoint — and validates each hit before reporting.

Is there a difference between Bolt.new and StackBlitz-hosted apps for scanning?
No. vibeAudit scans whatever is at the public URL. If your Bolt app is hosted on bolt.new, StackBlitz, Netlify, Vercel, Cloudflare Pages, or a custom domain, the scan behaves identically — it makes HTTP requests to the URL and analyzes the responses.

How long does a Bolt.new scan take?
About 30 seconds for the free scan (returns vulnerability counts and severity breakdown). The $4.99 deep scan takes 3-5 minutes and runs a 5-cycle adaptive pentest — stack detection, surface mapping, exploit attempts, validation, and evidence collection with copy-paste fixes.

Scan your Bolt app. Free.

Run a scan Read the security checklist
read-only · no source code · refund if we find nothing