You built your SaaS on Bolt.new. The Vite-bundled secrets + missing auth are your security surface.

Updated

Bolt's prompt-driven generator skips auth + ships VITE_-prefixed env vars to the client. Securie scans the GitHub repo Bolt exports to.

Start free — no cardHow it works for you

This is for you if…

  • Built your app on Bolt.new in days
  • 5M-Bolt-user cohort
  • Have real users + real revenue
  • Wondering if your VITE_ env vars exposed something

The moments you feel this

First env-var-leak panic

You realize VITE_OPENAI_API_KEY was bundled into your client. The key is in every visitor's browser.

First customer questioning auth

User reports they can see other users' data. You realize your /api/orders/[id] route has no ownership check.

First Show-HN front-page burst

1000 visitors in an hour. Your single-server deploy folds. You don't know what they probed.

What Securie does for you

secret_scanner on Vite bundle

Catches every VITE_-prefixed key shipped to client at PR time.

AuthAuthz/BOLA on route handlers

Sandbox-verifies cross-tenant reads on every dynamic /[id] route.

Pre-deploy gate on Vercel/Netlify

Blocks deploys with critical findings until fixed.

What you don't need to know

  • What VITE_ vs PUBLIC_ vs NEXT_PUBLIC_ means
  • How BOLA differs from IDOR
  • What sandbox-verified means

What you actually do

  1. Connect Bolt's GitHub-export to a real GitHub repo
  2. Install Securie GitHub App on that repo
  3. Push any commit; Securie reviews on the PR within 30-90 seconds

Hundreds of Bolt-built SaaS founders ship safer with Securie's specialist fleet.

But wait…

I don't have a GitHub repo — I just use Bolt

Bolt's GitHub-export is one click. Connect first; install Securie second.

Bolt's defaults look fine

Vibe-coding-platforms-default audit: Lovable Apr 2026 BOLA breach affected 10.3% of apps. Bolt's defaults are similar. Verify, don't trust.