Bolt.new Security Scanner
Find security vulnerabilities in your Bolt.new apps before attackers do. VAS scans for issues specific to AI-generated applications.
$ vas scan --platform bolt.new
> Common Bolt.new Security Issues
Bolt.new makes it incredibly fast to build apps with AI. But that speed often introduces security vulnerabilities that need to be addressed before going to production.
Exposed API Keys in Bundles
Bolt.new apps frequently have API keys (OpenAI, Stripe, Supabase) hardcoded directly in JavaScript bundles. These are visible to anyone using browser DevTools.
const apiKey = "sk-proj-abc123..."
Missing Supabase RLS
Bolt.new often generates Supabase integrations without enabling Row Level Security. This means anyone with your anon key can read and modify all data.
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
Insecure Security Headers
AI-generated apps rarely include proper security headers. Missing CSP, HSTS, and X-Frame-Options leave your app vulnerable to XSS and clickjacking.
Content-Security-Policy: default-src 'self'
Exposed .env Files
Configuration files sometimes get deployed to production. A publicly accessible .env file can expose all your application secrets at once.
DATABASE_URL=postgresql://...
> What VAS Checks for Bolt.new Apps
Our scanner includes 20+ security checks specifically tuned for Bolt.new applications.