Security scanner

Security Scanner for Bolt Apps

Bolt.new makes you a developer in minutes — but it does not make your app secure by default. VibeScan scans your live Bolt app for wildcard CORS, exposed secrets, missing security headers, and input validation gaps.

https://

✓ Free  ·  ✓ No login required  ·  ✓ Results in under 60 seconds

89%
of Bolt apps have at least one critical issue
< 60s
to get your full report
5 checks
run automatically on every scan
Free
no credit card, no account
Common vulnerabilities

The security issues we find in most Bolt apps

Bolt.new ships working apps in minutes, but the speed comes with tradeoffs. Generated code often sets CORS to wildcard, exposes API keys in frontend code, and skips the server-side validation that keeps your data safe.

Wildcard CORS policy (Access-Control-Allow-Origin: *)
Bolt.new apps often set CORS to allow all origins to keep development frictionless. In production, this means any website can make authenticated requests to your API using your users' credentials. An attacker can build a malicious site that quietly reads your users' data by calling your API cross-origin.
API keys embedded in frontend JavaScript
Bolt frequently generates code that calls third-party APIs (OpenAI, Stripe, SendGrid) directly from the browser, embedding the secret key in the JavaScript bundle. These keys are visible to anyone who opens DevTools. They can be used to run up charges, send spam, or access paid services on your bill.
Missing input validation on API routes
Bolt-generated API handlers often trust the data they receive without checking it. This opens the door to SQL injection, command injection, and unexpected application behavior. A single unvalidated field in a user profile form can compromise your entire database.
No rate limiting on authentication endpoints
Bolt apps rarely include rate limiting out of the box. Without it, an attacker can attempt thousands of password guesses per second against your login endpoint — a brute-force attack that can compromise any account with a weak password.
Verbose error messages leaking internal structure
When Bolt-generated code throws an error, it often returns the full stack trace or database error message to the user. This tells an attacker exactly which framework you're using, your file structure, and where the vulnerabilities are.
Missing security headers on Bolt deployments
Bolt's default deployment configuration does not set Content-Security-Policy, X-Frame-Options, or Strict-Transport-Security. Without CSP, an attacker who finds an XSS vulnerability can execute any script. Without X-Frame-Options, your app can be embedded in an iframe to steal clicks.
What VibeScan checks

Every scan runs 8 automated checks

VibeScan looks at everything publicly visible in your Bolt app — the same things an attacker would look at on day one.

  • HTTPS enforcement — detects HTTP deployment
  • CORS policy — flags Access-Control-Allow-Origin: * in response headers
  • Exposed secrets — scans page source for API keys, JWT tokens, service credentials
  • Security headers — checks X-Frame-Options, CSP, HSTS, X-Content-Type-Options
  • Robots.txt exposure — flags sensitive paths revealed to crawlers
  • OpenAI key detection — identifies sk- prefixed keys in page source
  • Supabase credential exposure — detects ANON keys and service role keys
  • JWT token leakage — finds Bearer tokens embedded in scripts
Scan your Bolt app now

Paste your app URL and get a full security report in under 60 seconds. Free, no signup.

https://
FAQ

Common questions about Bolt security

Is it safe to call the OpenAI API directly from my Bolt.new frontend?
No. Any API key placed in frontend JavaScript is visible to all users. You should create a backend API route that holds the key server-side, and have your frontend call your own route instead. In Bolt, ask it to move the OpenAI call to a server-side API handler.
How do I fix the wildcard CORS policy in my Bolt app?
In your Bolt API routes, replace Access-Control-Allow-Origin: * with the specific domain your frontend is hosted on (e.g., https://myapp.com). If you are using Supabase, go to your Supabase project settings and add your domain to the allowed origins list.
Does VibeScan find all security issues in my Bolt app?
VibeScan catches the most common and highest-impact issues visible from outside your app. It does not have access to your source code, database, or server configuration. Think of it as an attacker's first pass — it finds what they would find in the first 60 seconds.
My Bolt app has no users yet. Does security matter now?
Yes, for two reasons. First, fixing security issues before you have users is 10x easier than after. Second, if you are building on paid APIs like OpenAI or Stripe, an exposed key can result in unexpected charges even before you launch.
How do I add security headers to my Bolt.new deployment?
If your Bolt app is deployed on Vercel, add a vercel.json file with a headers section. For other hosting, ask Bolt to create the configuration file for your platform. The most important headers are X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and Strict-Transport-Security.

Is your Bolt app secure?

Paste your URL. Get a full security report in under 60 seconds — free, no login required.

Scan my Bolt app free →