Bolt.new (by StackBlitz) is one of the most impressive vibe coding tools: it builds and runs a full-stack app entirely in your browser, then deploys it in a click. The catch is that "in your browser first" is also where its security gaps come from.
So is Bolt safe? The tool is legitimate. Whether your Bolt-built app is safe depends on a few checks the AI won't do for you.
Risk 1: Secrets in the client bundle
Because Bolt runs everything in the browser via WebContainers, the path of least resistance to "make the API call work" is to drop the key into client-side code. That key then ships in the JavaScript bundle, readable by anyone who opens devtools.
- Move every secret to a server-side environment variable; only publishable keys belong in the front end.
- If a key ever lived in client code, rotate it — assume it's compromised.
Risk 2: Missing authentication
Like any vibe-coded app, Bolt-generated endpoints often return data without checking who's asking. "It works in the preview" doesn't mean "it checks permissions."
Risk 3: Open database
If your Bolt app uses Supabase or another Postgres backend, confirm Row Level Security is enabled with policies on every table — otherwise the public key gives anyone full read/write. See the Supabase RLS guide.
The Bolt security checklist
- No secrets in client code; secrets in server-side env vars; exposed keys rotated.
- Every data endpoint checks the session; no open admin routes.
- If there's a database, access is scoped per user and RLS is on.
- Input validated server-side; security headers present.
Verify the deployed app
Reviewing the code helps; proving the live app is safe requires testing it. Nurbak scans your deployed Bolt app from the outside for exposed secrets, missing auth, open databases and missing headers, and returns a prioritized report. Paste your URL and get the result in seconds.