Step-by-Step Guide
8 steps

How to Secure Your Bolt.new App

Bolt.new generates full-stack apps in seconds, but the generated code often lacks security hardening. Exposed API keys, missing headers, and unprotected endpoints are the most common issues. This guide covers every step to lock down your Bolt.new application.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Audit your codebase for exposed API keys

Bolt.new often places API keys directly in source files. Search your entire codebase for any hardcoded secrets like OpenAI keys, Stripe secret keys, or database passwords.

Code Example
# Search for common API key patterns
grep -rn "sk-" src/
grep -rn "OPENAI" src/
grep -rn "apiKey" src/ --include="*.ts" --include="*.tsx"

Firebase API keys and Supabase anon keys are safe to have in frontend code. Focus on finding secret keys like sk-live_, sk-proj_, or database connection strings.

2

Move secrets to environment variables

Create a .env file for local development and configure environment variables in your hosting platform. Never commit .env files to git.

Code Example
# .env (add to .gitignore)
OPENAI_API_KEY=sk-proj-your-key-here
STRIPE_SECRET_KEY=sk-live-your-key-here
DATABASE_URL=postgresql://...

# .gitignore
.env
.env.local
.env.production

If a key was ever committed to git, consider it compromised. Rotate the key immediately even after removing it from code.

3

Create server-side API routes for sensitive operations

Instead of calling third-party APIs directly from the browser, create API routes that run on the server where environment variables are accessible.

Code Example
// app/api/chat/route.ts (Next.js example)
import { NextResponse } from 'next/server'

export async function POST(req: Request) {
  const { message } = await req.json()
  const response = await fetch('https://api.openai.com/v1/chat/completions', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.OPENAI_API_KEY}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      model: 'gpt-4o',
      messages: [{ role: 'user', content: message }]
    })
  })
  return NextResponse.json(await response.json())
}
4

Add security headers

Configure HTTP security headers to protect against common web attacks. The method depends on your framework and hosting platform.

Code Example
// next.config.js
const nextConfig = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'DENY' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' }
      ]
    }]
  }
}
module.exports = nextConfig
5

Validate and sanitize all user inputs

Bolt.new generated code often trusts user input without validation. Add validation on both client and server side using a library like Zod.

Code Example
import { z } from 'zod'

const ContactSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
  message: z.string().min(1).max(5000)
})

export async function POST(req: Request) {
  const body = await req.json()
  const result = ContactSchema.safeParse(body)
  if (!result.success) {
    return NextResponse.json({ error: result.error.issues }, { status: 400 })
  }
  // Process validated data
}
6

Protect your database with proper access controls

If Bolt generated a database connection, ensure it uses parameterized queries and the database user has minimal permissions.

Code Example
// BAD - SQL injection vulnerable
const query = `SELECT * FROM users WHERE id = ${userId}`

// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = $1'
const result = await pool.query(query, [userId])
7

Set up authentication and authorization

If your app has user accounts, implement proper session management. Use established libraries rather than rolling your own auth.

Code Example
// Using NextAuth.js (next-auth)
import NextAuth from 'next-auth'
import GoogleProvider from 'next-auth/providers/google'

export default NextAuth({
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!
    })
  ],
  callbacks: {
    async session({ session, token }) {
      session.user.id = token.sub!
      return session
    }
  }
})
8

Run a security scan to verify your fixes

Use VAS to scan your deployed Bolt.new app and verify that all vulnerabilities have been addressed. The scan checks for exposed keys, missing headers, and common misconfigurations.

Scan both your staging and production environments to catch environment-specific issues.

What You'll Achieve

Your Bolt.new app now has secrets stored in environment variables, server-side API routes for sensitive operations, security headers configured, input validation in place, and proper authentication. The most common attack vectors in Bolt-generated code are closed.

Common Mistakes to Avoid

Mistake

Only removing API keys from the latest commit

Fix

Keys remain in git history. Use git-filter-repo to scrub history, or better yet, just rotate the compromised key immediately.

Mistake

Adding .env to .gitignore after already committing it

Fix

The file is already in git history. Remove it with git rm --cached .env, add to .gitignore, and rotate all keys in the file.

Mistake

Validating input only on the client side

Fix

Client-side validation can be bypassed. Always validate on the server side as well using a schema validation library like Zod.

Frequently Asked Questions

Are Bolt.new apps secure by default?

No. Bolt.new focuses on generating functional code quickly. Security hardening like environment variables, input validation, and security headers must be added manually after generation.

I found an API key in my Bolt code. Is it compromised?

If the code was ever deployed or pushed to a public repository, assume the key is compromised. Rotate it immediately through the provider dashboard, then move it to an environment variable.

Which API keys are safe to have in frontend code?

Firebase API keys and Supabase anon keys are designed to be public. Their security relies on Firebase Security Rules and Supabase Row Level Security respectively. All other API keys should be kept server-side.

How often should I scan my Bolt.new app?

Scan after every significant code change or deployment. AI-generated code can introduce new vulnerabilities with each iteration, so regular scanning is essential.

Related Guides

Fix Bolt.new API Key ExposureDeploy Bolt.new SecurelyAdd Security Headers in Next.jsPrevent XSS Attacks

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan