Is it safe to launch my Bolt app to paying customers?
Probably not without a security review first. Bolt apps typically ship with three classes of bug: missing RLS on Supabase tables (user-data leak), leaked API keys in client-side code, and ID-swap bugs in API routes. Every one is fixable in under an hour, but you need to find them first. A Securie review beats a 3am incident call.
Bolt, v0, Lovable, and Replit generate functional apps fast — their models prioritize 'works' over 'safely works'. Before you take payments, you want three things locked down:
**1. Supabase RLS.** Go to Supabase → Authentication → Policies. Every table with user data must have RLS enabled and a policy that scopes by `auth.uid()`. If any table says 'RLS disabled' or has a policy with `using (true)`, every user can read every row.
**2. No keys in client code.** Open your Bolt project. Search for 'SUPABASE_SERVICE_ROLE', 'STRIPE_SECRET', 'OPENAI_API_KEY'. If you find these in anything other than `.env.local` or a `/api/` route, attackers will find them too.
**3. API routes check ownership.** Every `/api/` route that reads user data must verify the request is for that user's own data. Test: log in as yourself, hit `/api/orders/123`, copy the URL, change to `/api/orders/124`. If you see another user's order, you have the bug.
Once payments are flowing, add: rate limits on sensitive endpoints (login, reset), a support email on your site, and a `/.well-known/security.txt` so researchers can report findings. Stripe Radar catches most card fraud; don't build that yourself.
When your repo is enabled, Securie runs these checks on your Bolt app and returns a plain-English report before your launch, not after the 3am incident.