Bolt.new Security Guide
Best practices for securing apps built with Bolt.new.
Common Bolt.new Vulnerabilities
Bolt.new generates full-stack apps quickly, but the generated code often lacks security hardening. Here are the most common issues:
1. Exposed environment variables
Bolt sometimes puts API keys directly in frontend code. Always use VITE_ prefix only for public keys and keep service keys server-side.
2. Missing RLS policies
Same as Lovable — if you use Supabase, every table needs RLS enabled and configured. See our Supabase RLS Guide.
3. Open API endpoints
Check that your API routes validate authentication before returning data. Bolt-generated backends may not include auth middleware by default.
4. Scan your Bolt app
Scan with Aphido to find these issues automatically in 60 seconds.