Step-by-Step Guide
5 steps

How to Deploy Bolt.new Apps Securely

Deploying a Bolt.new app requires security hardening that the AI did not do during generation. This pre-deployment checklist ensures your secrets are protected, headers are configured, and the most common vulnerabilities are addressed.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Remove all hardcoded secrets from code

Final check that no API keys remain in source files.

Code Example
grep -rn "sk-\|secret_key\|password.*=" src/ app/ lib/ --include="*.ts" --include="*.tsx" --include="*.js"
2

Configure environment variables in your hosting platform

Add all secrets to Vercel, Netlify, or your chosen platform.

Code Example
# Required environment variables for typical Bolt apps:
# DATABASE_URL (if using a database)
# OPENAI_API_KEY (if using AI features)
# NEXTAUTH_SECRET (if using auth)
# NEXTAUTH_URL (your production URL)
# STRIPE_SECRET_KEY (if using payments)
3

Add security headers

Configure headers appropriate for your hosting platform.

Code Example
// next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'DENY' },
        { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' }
      ]
    }]
  }
}
4

Ensure .gitignore is properly configured

Verify sensitive files are not committed to the repository.

Code Example
# .gitignore should include:
.env
.env.local
.env.production
node_modules/
.next/
5

Run a security scan on the deployed URL

Deploy to a staging URL first and scan with VAS before going public.

What You'll Achieve

Your Bolt.new app is deployed with all secrets in environment variables, security headers configured, and a clean git repository. A security scan has verified the deployment.

Common Mistakes to Avoid

Mistake

Deploying the main branch without a staging test

Fix

Always deploy to a preview URL first, scan it, then promote to production.

Mistake

Forgetting to set NEXTAUTH_URL for production

Fix

NextAuth requires the NEXTAUTH_URL to match your production domain. Without it, authentication callbacks will fail.

Frequently Asked Questions

Where should I deploy my Bolt.new app?

Vercel is the most common choice for Next.js apps generated by Bolt.new. It provides automatic HTTPS, preview deployments, and easy environment variable management.

Do I need a separate staging environment?

Yes. Vercel preview deployments serve as staging. Always test security fixes on a preview deployment before merging to production.

Related Guides

Secure Your Bolt.new AppFix Bolt.new API Key ExposureSecure Environment VariablesAdd Security Headers in Next.js

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan