// BOLT.NEW SECURITY SCANNER
Is your Bolt.new app safe to launch?
Bolt.new turns a prompt into a full-stack app in one sitting — frontend, backend and database wired together for you. The speed is the point, but nobody stops to check what got left open: environment secrets bundled into the client, a database anyone can query, and payment flows with no verification. Veilguard scans your live Bolt app from the outside, grades it A to F, and shows you the exact fix for each hole.
Free — no signup · Your code stays yours · Results in ~60s
// WHAT WE CHECK
What Veilguard checks in a Bolt.new app
Secrets leaked through VITE_ / public env vars
Bolt frequently exposes API keys by prefixing them so they get bundled into the browser. We flag every secret an attacker can read from your page.
Database rules left wide open
Supabase RLS or Firebase rules that let any visitor read or write your tables — the fastest path to a full data leak.
Payment webhooks with no signature check
Stripe or Paystack webhooks that accept any request, so anyone can fake a “payment succeeded” event.
Auth and rate-limiting gaps
Login and signup endpoints with no throttling, and access checks that run only in the browser.
Overly permissive CORS
APIs that answer requests from any origin, letting other sites ride on your users’ sessions.
Missing security headers
No HSTS, X-Frame-Options or content-type protection on your deployed URL.
// THE GAP
Why Bolt.new apps ship exposed
Bolt optimizes for a working prototype in minutes, so it makes the pragmatic choices that get an app running — permissive defaults, secrets wherever they are convenient, and no verification on money flows. Those choices are fine for a demo and dangerous the moment real customers and real payments show up. Veilguard catches them before your launch does.
// HOW IT WORKS
Scan. Understand. Fix.
Scan
Paste your app’s link. No install, no signup — just the URL you already share with customers.
Understand
A clear A–F grade and every issue in plain English: what it is, why it matters, and how bad it really is.
Fix
The exact fix for each issue — copy-paste code or a ready-made prompt for your AI. Then we keep watching.
// FAQ
Bolt security, answered.
Can Veilguard scan a Bolt.new app?
Yes. Paste your deployed Bolt URL and we scan it from the outside — no install, no signup. If your app uses Supabase or Firebase, we run a deeper database-rules audit too.
What’s the most common problem in Bolt apps?
Exposed secrets and open database rules. Bolt often bundles keys into the browser and leaves Supabase/Firebase permissions permissive, which together are exactly how vibe-coded apps get breached.
How do I fix the issues you find?
Each finding comes with the exact code fix or a copy-paste prompt you can hand back to Bolt to apply. No security background needed.
Scan another tool
Veilguard checks apps built with every major AI builder and backend.
Grade your Bolt app in 60 seconds.
Free — no signup · Your code stays yours · Results in ~60s