Quick Answer
Bolt.new and Lovable generate functional full-stack applications in minutes. They consistently produce apps with unprotected API routes, client-side secret exposure, missing security headers, zero test coverage, and Lighthouse scores below 50. These are not edge cases - they are the default output. VibeDoctor was built specifically to scan this output, combining live site analysis with deep code scanning across 9 tools and 40+ AI-specific patterns, and tell you exactly what needs fixing before you go live.
Let's Talk About What Bolt and Lovable Actually Ship
Bolt.new and Lovable are genuinely impressive pieces of software. They can scaffold a full-stack SaaS application - authentication, database, API layer, frontend, and deployment - in a single afternoon. For a non-technical founder who previously needed to hire a developer or spend months learning to code, this is transformative.
But there is a gap between "it works" and "it is ready for production." Bolt and Lovable close the first gap. They do not close the second one. And if you are deploying a Bolt or Lovable app to real users without scanning it first, you are accepting risks you almost certainly have not assessed.
This is not a bug in these platforms. It is a structural outcome of how they operate. They generate code that fulfills the user's functional requirements as efficiently as possible. Security, performance optimization, and test coverage are cross-cutting concerns that require knowledge beyond what the user typically specifies. Until the user asks for authentication, the model does not add it. Until the user asks for rate limiting, the model does not add it. The model is doing exactly what it was designed to do.
The problem is that most users do not know to ask. And when the model does add security components, it often adds them incompletely, in ways that look correct but have gaps.
What a Typical Bolt App Looks Like Under the Hood
Based on analysis of publicly available Bolt-generated applications and the results of VibeDoctor scans on user-submitted Bolt apps, a typical Bolt.new generated application in 2026 has the following characteristics:
| Area | Typical Bolt App State | What It Should Be |
|---|---|---|
| Authentication | Present but incomplete - auth library imported, return values often not checked | Every protected route verifies session before processing |
| Environment variables | Supabase URL and anon key often in NEXT_PUBLIC_ (correct); sometimes service role key also in NEXT_PUBLIC_ (Critical) | Only public-safe values use NEXT_PUBLIC_ prefix |
| Input validation | Rare - most API routes accept request body without schema validation | Zod or similar validation on every endpoint |
| Rate limiting | Almost never present | Auth routes and expensive endpoints rate-limited |
| Security headers | None - Bolt does not generate Next.js security middleware | CSP, HSTS, X-Frame-Options, Permissions-Policy |
| Test coverage | None | Unit tests for business logic, integration tests for API routes |
| Lighthouse score | Average 45-55 | 90+ for a well-optimized app |
| Error handling | Partial - try/catch present but often returns raw error messages to client | Generic error messages to client, detailed logging server-side |
What a Typical Lovable App Looks Like Under the Hood
Lovable's output has a different character than Bolt's. Lovable tends to generate more polished UI with better component structure and cleaner styling. The security gaps are similar but the code quality issues differ slightly:
| Area | Typical Lovable App State | What It Should Be |
|---|---|---|
| Frontend code quality | High - clean component structure, good TypeScript usage, minimal FE issues | On par with what Lovable generates |
| Supabase Row Level Security | Often disabled - Lovable creates tables without RLS policies by default | RLS enabled on every table with appropriate policies |
| Client-side secret exposure | Common - Supabase keys often in VITE_ or NEXT_PUBLIC_ without checking which are safe | Service role key never in frontend bundle |
| XSS vectors | Occasional dangerouslySetInnerHTML in dynamic content components | Never use dangerouslySetInnerHTML with user-controlled data |
| Backend API security | Depends heavily on Supabase RLS - if RLS is off, database is wide open | RLS on all tables, service role key server-side only |
| Performance | Better than average - Lovable generates lighter bundles than Bolt | Lighthouse 70+ is achievable with Lovable-generated code |
The Pattern That Concerns Us Most
Of all the issues that appear in Bolt and Lovable generated apps, the most dangerous is also the hardest to see without a scanner: the authentication call that is present but not enforced.
// Bolt-generated API route - this is what gets built
export async function POST(request: Request) {
const supabase = createRouteHandlerClient({ cookies });
const { data: { session } } = await supabase.auth.getSession();
const body = await request.json();
// The session exists in the code - but what happens if it's null?
// The code proceeds to the database operation regardless.
const { data, error } = await supabase
.from('user_data')
.insert({ user_id: session?.user?.id, ...body }); // session?.user?.id is undefined if not logged in
return NextResponse.json({ data });
}// What it should look like
export async function POST(request: Request) {
const supabase = createRouteHandlerClient({ cookies });
const { data: { session } } = await supabase.auth.getSession();
// Actually check and reject unauthenticated requests
if (!session) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
const body = await request.json();
const { data, error } = await supabase
.from('user_data')
.insert({ user_id: session.user.id, ...body });
if (error) {
console.error('Insert failed:', error);
return NextResponse.json({ error: 'Failed to save' }, { status: 500 });
}
return NextResponse.json({ data });
}The unauthenticated version inserts a database row with user_id: undefined for any anonymous request. If Row Level Security is not enabled on the Supabase table (which it often is not), this means any visitor to your site can insert arbitrary data into your database. With the right payload structure, this can be used to inject malicious content, exhaust your database limits, or map your schema.
How VibeDoctor Finds These Issues
VibeDoctor runs two scanning pipelines on every submission. The code pipeline clones your repository and runs five tools: Gitleaks finds secrets committed to source code; Trivy finds CVEs in your dependency tree; ESLint runs static analysis rules tuned for AI-generated JavaScript and TypeScript patterns; custom project hygiene checks verify .gitignore, README, and test directory presence; the Vibe Checks scanner runs 40+ checks specifically designed around patterns that appear in AI-generated code, including the incomplete authentication pattern above (SEC-001), client-side secret exposure (SEC-006), missing input validation (SEC-010), and 37 other checks across security, performance, testing, and code quality categories.
The live site pipeline runs simultaneously: Lighthouse performance analysis, SSL certificate checking, security header detection, JavaScript runtime error scanning in a real Chromium browser, broken link crawling, and page weight measurement.
The combination of code and live site analysis is what makes VibeDoctor different. A code-only scanner would not catch an expired SSL certificate. A site-only scanner would not catch hardcoded API keys. Most vibe-coded apps have issues in both dimensions.
What You Should Do Before Deploying Any Bolt or Lovable App
The checklist is short. If you cannot check all of these boxes manually, run VibeDoctor and let it find the gaps:
- No secrets in NEXT_PUBLIC_ or VITE_ variables. Only your Supabase anon key and public URL should be in the frontend bundle. Service role keys, OpenAI keys, Stripe secret keys, and any other secret must stay server-side.
- Every API route that reads or writes user data checks authentication before proceeding. Not just imports the auth library. Not just calls getSession(). Actually checks the return value and returns 401 if the session is null.
- Row Level Security is enabled on every Supabase table. Lovable and Bolt frequently create tables with RLS disabled. Check your Supabase dashboard and enable RLS with appropriate policies.
- No .env file committed to your Git repository. Even one historic commit with your .env file exposed means anyone who clones your repo has your credentials. VibeDoctor checks your git history as well as your current working tree.
- Security headers are present. Add a Next.js middleware file that sets CSP, HSTS, X-Frame-Options, and Permissions-Policy. This takes 15 minutes and blocks a large class of client-side attacks.
Run Your Scan Now
Go to vibedoctor.io. Enter your Bolt or Lovable app URL and optionally connect your GitHub repository. The scan runs in minutes, no configuration required, and gives you a scored report with specific findings and remediation steps. The free tier covers everything described above with no credit card required.
If you built your app with Bolt or Lovable and you have not scanned it yet, the odds that you have at least one Critical finding are better than two in three. Run the scan before your users discover it for you.
FAQ
Is this an attack on Bolt and Lovable?
No. Bolt and Lovable are excellent tools that have genuinely democratized software development. The security gaps in their output are a structural limitation of the technology, not negligence on their part. They generate code that fulfills the user's functional requirements; security is a cross-cutting concern that requires specific knowledge the user typically does not provide in their prompt. VibeDoctor fills the gap between what these tools produce and what production-ready software requires.
Can Bolt or Lovable produce secure code?
Yes, with the right prompts. If you explicitly ask Bolt to "add authentication middleware to all API routes, enable Row Level Security in Supabase, add Zod validation to all endpoints, and set security headers in Next.js middleware," you will get significantly more secure output. The problem is that most users do not know these specific security requirements to ask for them. VibeDoctor's value is in finding what was not asked for.
Does VibeDoctor work with Lovable's Supabase integration?
Yes. VibeDoctor scans your source code and deployed URL, regardless of what backend services your app uses. It specifically checks for Supabase-related security patterns including service role key exposure, RLS signals, and Edge Function security gaps.
What if my Bolt app is just a demo, not a real production app?
If real users can visit it, it is in production from a security perspective. Demo apps shared on Twitter have been found and exploited. If your app connects to a real database or processes real user input, scan it regardless of whether you consider it "production."
How is VibeDoctor different from just asking Claude or GPT to review my code?
LLMs are good at reviewing code you show them but they have no way to scan your live deployed URL, check your SSL certificate, run Lighthouse against your real deployment, detect JavaScript runtime errors in a browser, or cross-reference your dependencies against the CVE database. VibeDoctor does all of these programmatically using specialized tools. For code review specifically, LLMs are complementary but not a substitute for a security scanner.