Quick Answer
Bolt.new lets you build and deploy full-stack apps in minutes, but the generated code routinely ships without authentication on API routes, with hardcoded secrets, and with zero input validation. Before you share your Bolt app publicly, run through these 7 checks to avoid becoming an easy target.
Why Bolt.new Apps Need a Security Review
Bolt.new is one of the most popular AI app builders, generating complete full-stack applications from natural language prompts. The speed is remarkable - you can go from idea to deployed app in under 10 minutes. But that speed comes with a cost that most builders do not realize until it is too late.
According to Apiiro's 2025 research, AI-generated code contains security vulnerabilities at 2.74x the rate of human-written code. Bolt is no exception. The tool optimizes for getting your app running, not for making it secure. It generates working code, but "working" and "safe to expose to the internet" are two very different things.
A 2024 Stanford study found that developers using AI coding assistants were more likely to produce insecure code while being more confident that their code was secure. This confidence gap is especially dangerous with tools like Bolt that handle deployment automatically.
Check 1: Are Your API Routes Protected?
Bolt generates API endpoints that work immediately, but almost never adds authentication middleware. Every route is publicly accessible by default.
// ❌ BAD - Bolt's default: no auth on API routes
app.get('/api/users', async (req, res) => {
const users = await db.query('SELECT * FROM users');
res.json(users);
});
app.post('/api/admin/delete-user', async (req, res) => {
await db.query('DELETE FROM users WHERE id = ?', [req.body.id]);
res.json({ success: true });
});// ✅ GOOD - Add authentication middleware
import { requireAuth, requireAdmin } from './middleware/auth';
app.get('/api/users', requireAuth, async (req, res) => {
const users = await db.query('SELECT * FROM users');
res.json(users);
});
app.post('/api/admin/delete-user', requireAuth, requireAdmin, async (req, res) => {
await db.query('DELETE FROM users WHERE id = ?', [req.body.id]);
res.json({ success: true });
});Check 2: Are Secrets Hardcoded in Your Source Code?
When you give Bolt your Supabase URL, Stripe key, or OpenAI token during the build process, it often embeds them directly in the source code rather than using environment variables. According to GitGuardian's 2024 State of Secrets Sprawl report, 12.8 million new secret occurrences were detected in public GitHub commits in 2023.
Search your Bolt-generated code for strings like sk_live_, sk-, supabase, and Bearer. If any API keys appear as literal strings in your JavaScript files, move them to server-side environment variables immediately.
Check 3: Is Input Validation Present?
Bolt-generated API routes typically accept whatever the client sends without any validation. This means attackers can send malformed data, inject SQL, or crash your server with unexpected types.
// ❌ BAD - No validation on request body
app.post('/api/create-post', async (req, res) => {
const { title, content, authorId } = req.body;
await db.query('INSERT INTO posts (title, content, author_id) VALUES (?, ?, ?)',
[title, content, authorId]);
res.json({ success: true });
});// ✅ GOOD - Validate with Zod before processing
import { z } from 'zod';
const createPostSchema = z.object({
title: z.string().min(1).max(200),
content: z.string().min(1).max(10000),
authorId: z.string().uuid(),
});
app.post('/api/create-post', async (req, res) => {
const result = createPostSchema.safeParse(req.body);
if (!result.success) return res.status(400).json({ error: result.error });
const { title, content, authorId } = result.data;
await db.query('INSERT INTO posts (title, content, author_id) VALUES (?, ?, ?)',
[title, content, authorId]);
res.json({ success: true });
});Check 4: SQL Injection and Database Safety
Bolt sometimes generates raw SQL with string interpolation instead of parameterized queries, especially when you ask for custom database operations. This is the most exploitable vulnerability in web applications. OWASP has ranked injection attacks in the top 3 of web security risks for over a decade.
Check 5: CORS, Rate Limiting, and Security Headers
Three things Bolt almost never configures: CORS restrictions (defaults to allowing all origins), rate limiting (none), and security headers (none). Any API without rate limiting is vulnerable to brute force attacks. Run a security headers scan on your deployed URL - you will likely see an F grade.
Check 6: Environment Variables and Client-Side Exposure
If you are using Next.js via Bolt, check for NEXT_PUBLIC_ prefixed variables that contain secrets. The NEXT_PUBLIC_ prefix means the variable is bundled into your client-side JavaScript and visible to anyone who opens browser DevTools. Your Supabase service role key, Stripe secret key, and database URL should never have this prefix.
How to Run All 7 Checks Automatically
Going through each check manually is tedious, especially if you are iterating quickly. Tools like VibeDoctor (vibedoctor.io) automatically scan your Bolt.new codebase for all 7 of these issues and flag specific file paths and line numbers. Free to sign up.
The seventh and final check: test your deployed app from an incognito browser. Try accessing API routes directly. Try submitting forms with empty or malformed data. If anything works that should not, you have found a gap that needs fixing before launch.
FAQ
Is Bolt.new safe to use for production apps?
Bolt is safe as a starting point, but the generated code needs a security review before going live. Think of Bolt as generating an MVP prototype that needs security hardening. The tool itself is not insecure - it just prioritizes speed over security in the code it writes.
Does Bolt.new handle authentication automatically?
Bolt can generate authentication flows if you specifically ask for them, but the default code generation does not include auth middleware on API routes. Even when Bolt generates login/signup pages, the underlying API endpoints are often left unprotected.
How long does a security review of a Bolt app take?
A manual review of a typical Bolt-generated app takes 30-60 minutes for someone who knows what to look for. An automated scan with a tool designed for AI-generated code takes 2-3 minutes and catches the most critical issues immediately.
Should I rewrite my Bolt app from scratch for production?
No. Most Bolt-generated code is functional and reasonable. The issues are specific and fixable: add auth middleware, move secrets to env vars, add input validation, configure CORS properly. These are targeted fixes, not rewrites. The cost of fixing is much lower than the cost of rebuilding.
What other AI app builders have similar security issues?
All of them. Lovable, Replit, Cursor, and v0 by Vercel all generate code with similar security patterns. The issues are inherent to how LLMs generate code - they optimize for functionality, not security. Any AI-built app needs the same checks regardless of which tool built it.