Is Bolt.new safe?
Bolt.new generates full-stack apps at impressive speed. Here is what routinely goes wrong security-wise and how to fix it before you ship to real users.
Bolt apps ship with standard frontend frameworks and the same failure modes as any Vite/Next.js app: leaked env vars, missing CSRF, lack of rate limits. Vibe Leak Index: ~13% have at least one credential leak.
How it fails in production
Leaked API keys in the client bundle
Bolt's prompt-driven code generation doesn't reliably catch when a server-only key is used in client code. The variable ships to the browser.
Missing auth on route handlers
Bolt generates route handlers per your description. Auth checks are opt-in — if you did not specify 'authenticated users only', it was not added.
CORS set to '*' by default
Bolt's templates sometimes ship permissive CORS for dev and do not tighten for production.
How to ship safely on Bolt.new
- Move any key beyond publishable-tier out of client code
- Review every route handler for authorization checks
- Set CORS to an allowlist before shipping
- Install Securie to watch future changes
All of the above — Securie's secret scanner catches leaked keys client-side, the auth specialist flags unauthenticated state-change routes, the CORS checker detects permissive config.
Verdict
Bolt.new is safe for hobbyist apps. For apps with real users or paid users, run a scan before every deploy.