Bolt

// BOLT.NEW SECURITY SCANNER

Is your Bolt.new app safe to launch?

Bolt.new turns a prompt into a full-stack app in one sitting — frontend, backend and database wired together for you. The speed is the point, but nobody stops to check what got left open: environment secrets bundled into the client, a database anyone can query, and payment flows with no verification. Veilguard scans your live Bolt app from the outside, grades it A to F, and shows you the exact fix for each hole.

Free — no signup · Your code stays yours · Results in ~60s

// WHAT WE CHECK

What Veilguard checks in a Bolt.new app

Critical

Secrets leaked through VITE_ / public env vars

Bolt frequently exposes API keys by prefixing them so they get bundled into the browser. We flag every secret an attacker can read from your page.

Critical

Database rules left wide open

Supabase RLS or Firebase rules that let any visitor read or write your tables — the fastest path to a full data leak.

Critical

Payment webhooks with no signature check

Stripe or Paystack webhooks that accept any request, so anyone can fake a “payment succeeded” event.

Warning

Auth and rate-limiting gaps

Login and signup endpoints with no throttling, and access checks that run only in the browser.

Warning

Overly permissive CORS

APIs that answer requests from any origin, letting other sites ride on your users’ sessions.

Warning

Missing security headers

No HSTS, X-Frame-Options or content-type protection on your deployed URL.

// THE GAP

Why Bolt.new apps ship exposed

Bolt optimizes for a working prototype in minutes, so it makes the pragmatic choices that get an app running — permissive defaults, secrets wherever they are convenient, and no verification on money flows. Those choices are fine for a demo and dangerous the moment real customers and real payments show up. Veilguard catches them before your launch does.

// HOW IT WORKS

Scan. Understand. Fix.

01

Scan

Paste your app’s link. No install, no signup — just the URL you already share with customers.

02

Understand

A clear A–F grade and every issue in plain English: what it is, why it matters, and how bad it really is.

03

Fix

The exact fix for each issue — copy-paste code or a ready-made prompt for your AI. Then we keep watching.

// FAQ

Bolt security, answered.

Can Veilguard scan a Bolt.new app?

Yes. Paste your deployed Bolt URL and we scan it from the outside — no install, no signup. If your app uses Supabase or Firebase, we run a deeper database-rules audit too.

What’s the most common problem in Bolt apps?

Exposed secrets and open database rules. Bolt often bundles keys into the browser and leaves Supabase/Firebase permissions permissive, which together are exactly how vibe-coded apps get breached.

How do I fix the issues you find?

Each finding comes with the exact code fix or a copy-paste prompt you can hand back to Bolt to apply. No security background needed.

Grade your Bolt app in 60 seconds.

Free — no signup · Your code stays yours · Results in ~60s