Is it safe to launch my Bolt app to paying customers?
Probably not without a security review first. Bolt apps typically ship with three classes of bug: missing RLS on Supabase tables (user-data leak), leaked API keys in client-side code, and ID-swap bugs in API routes. Every one is fixable in under an hour, but you need to find them first. A 30-second free scan beats a 3am incident call.
Bolt, v0, Lovable, and Replit generate functional apps fast — their models prioritize 'works' over 'safely works'. Before you take payments, you want three things locked down:
**1. Supabase RLS.** Go to Supabase → Authentication → Policies. Every table with user data must have RLS enabled and a policy that scopes by `auth.uid()`. If any table says 'RLS disabled' or has a policy with `using (true)`, every user can read every row.
**2. No keys in client code.** Open your Bolt project. Search for 'SUPABASE_SERVICE_ROLE', 'STRIPE_SECRET', 'OPENAI_API_KEY'. If you find these in anything other than `.env.local` or a `/api/` route, attackers will find them too.
**3. API routes check ownership.** Every `/api/` route that reads user data must verify the request is for that user's own data. Test: log in as yourself, hit `/api/orders/123`, copy the URL, change to `/api/orders/124`. If you see another user's order, you have the bug.
Once payments are flowing, add: rate limits on sensitive endpoints (login, reset), a support email on your site, and a `/.well-known/security.txt` so researchers can report findings. Stripe Radar catches most card fraud; don't build that yourself.
Securie's free scan (launching this year) will run all three checks on your Bolt app and email you a plain-English report within a week of early access opening. Join the list now and it runs before your launch, not after the 3am incident.