What vulnerabilities are found in Bolt.new apps?

The vulnerabilities actually found in Bolt.new apps

Not theoretical OWASP categories — specifically what appears when VAS, security researchers, and bug bounty hunters look at live Bolt.new deployments:

1. **Exposed API Keys**

OpenAI, Stripe, and other secret keys hardcoded directly in frontend JavaScript bundles. Attackers can extract these keys and use your API quotas, make purchases, or access your services.

2. **Missing Supabase RLS**

Database tables accessible to anyone with the anon key because Row Level Security policies haven't been configured. This means any user can read, modify, or delete all data in exposed tables.

3. **No Security Headers**

Missing Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options headers leave your app vulnerable to cross-site scripting, man-in-the-middle attacks, and clickjacking.

4. **Weak Authentication**

No minimum password requirements, missing email verification, and lack of rate limiting on login endpoints allows brute force attacks and account takeovers.

5. **Source Map Exposure**

Production source maps uploaded to hosting reveal your entire application source code, including business logic, API endpoints, and potentially sensitive comments.

Distribution by severity

Of the findings above, 0 sit at critical impact (full data exposure), 0 at high (significant data or account compromise), and the rest are medium-or-lower (attack surface expansion). A first-scan Bolt.new app typically has 2–4 findings from this list live at any moment.

How to know which ones are in your app

Run a VAS scan. Each finding above is tested directly — we query your database to verify access controls are active, scan bundles for key patterns, probe auth endpoints for rate limiting, and check security headers in live responses. Output is a per-finding report with evidence and fix.