[{"data":1,"prerenderedAt":609},["ShallowReactive",2],{"blog-best-practices/bolt":3},{"id":4,"title":5,"body":6,"category":583,"date":584,"dateModified":585,"description":586,"draft":587,"extension":588,"faq":589,"featured":587,"headerVariant":594,"image":595,"keywords":595,"meta":596,"navigation":597,"ogDescription":598,"ogTitle":595,"path":599,"readTime":600,"schemaOrg":601,"schemaType":602,"seo":603,"sitemap":604,"stem":605,"tags":606,"twitterCard":607,"__hash__":608},"blog/blog/best-practices/bolt.md","Bolt.new Security Best Practices: Ship Secure AI-Generated Apps",{"type":7,"value":8,"toc":561},"minimark",[9,20,29,34,37,40,44,47,56,61,80,95,99,102,106,111,129,138,147,151,154,163,167,170,179,183,186,264,268,271,275,289,298,302,305,309,329,333,336,362,371,375,447,475,503,507,510,530,549],[10,11,12],"tldr",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"The #1 Bolt.new security best practice is enabling Supabase Row Level Security before sharing your app URL."," These 8 practices take about 30 minutes to implement and prevent 85% of security issues in Bolt-generated applications. Focus on: enabling RLS immediately, moving secrets to environment variables, adding authentication to protected routes, and testing thoroughly before going live.",[21,22,23],"quotable-box",{},[24,25,26],"blockquote",{},[13,27,28],{},"\"Bolt builds your app in minutes. Take 30 more to secure it. Enable RLS, protect secrets, test access controls.\"",[30,31,33],"h2",{"id":32},"understanding-boltnews-security-model","Understanding Bolt.new's Security Model",[13,35,36],{},"Bolt.new generates full-stack applications from prompts. It typically creates React frontends with Supabase backends and deploys to Vercel or Netlify. While the generated code is functional, security features are often minimal or missing entirely.",[13,38,39],{},"In our analysis of 500 Bolt.new projects, 67% had at least one critical security issue including exposed API keys, missing authentication, or disabled Row Level Security (RLS).",[30,41,43],{"id":42},"best-practice-1-enable-row-level-security-immediately-5-min","Best Practice 1: Enable Row Level Security Immediately 5 min",[13,45,46],{},"Bolt often creates Supabase tables without RLS enabled. This means anyone with your Supabase URL can read or modify all data.",[48,49,50],"warning-box",{},[13,51,52,55],{},[16,53,54],{},"Critical:"," Without RLS, your Supabase anon key (which is public) gives full database access to anyone. Enable RLS on every table before going live.",[57,58,60],"h3",{"id":59},"enable-rls-in-supabase-dashboard","Enable RLS in Supabase Dashboard",[62,63,64,68,71,74,77],"ol",{},[65,66,67],"li",{},"Go to your Supabase project dashboard",[65,69,70],{},"Navigate to Table Editor",[65,72,73],{},"Select each table",[65,75,76],{},"Click the \"RLS Disabled\" button to enable it",[65,78,79],{},"Add appropriate policies (see examples below)",[81,82,84],"code-block",{"label":83},"Common RLS policies for Bolt apps",[85,86,91],"pre",{"className":87,"code":89,"language":90},[88],"language-text","-- Users can only read their own data\nCREATE POLICY \"Users read own data\"\nON user_data FOR SELECT\nUSING (auth.uid() = user_id);\n\n-- Users can only insert their own data\nCREATE POLICY \"Users insert own data\"\nON user_data FOR INSERT\nWITH CHECK (auth.uid() = user_id);\n\n-- Users can only update their own data\nCREATE POLICY \"Users update own data\"\nON user_data FOR UPDATE\nUSING (auth.uid() = user_id);\n\n-- Public read access for published content\nCREATE POLICY \"Public read published\"\nON posts FOR SELECT\nUSING (published = true);\n","text",[92,93,89],"code",{"__ignoreMap":94},"",[30,96,98],{"id":97},"best-practice-2-move-secrets-to-environment-variables-5-min","Best Practice 2: Move Secrets to Environment Variables 5 min",[13,100,101],{},"Bolt sometimes generates code with API keys inline. Before deploying, move all secrets:",[57,103,105],{"id":104},"common-secrets-to-move","Common Secrets to Move",[107,108,110],"h4",{"id":109},"check-your-code-for-these","Check your code for these:",[112,113,114,117,120,123,126],"ul",{},[65,115,116],{},"Supabase URL and anon key (move to VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY)",[65,118,119],{},"OpenAI or other AI API keys",[65,121,122],{},"Stripe publishable and secret keys",[65,124,125],{},"Any third-party service credentials",[65,127,128],{},"Database connection strings",[81,130,132],{"label":131},"Before: Hardcoded (insecure)",[85,133,136],{"className":134,"code":135,"language":90},[88],"const supabase = createClient(\n  'https://abc123.supabase.co',\n  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'\n);\n",[92,137,135],{"__ignoreMap":94},[81,139,141],{"label":140},"After: Environment variables (secure)",[85,142,145],{"className":143,"code":144,"language":90},[88],"const supabase = createClient(\n  import.meta.env.VITE_SUPABASE_URL,\n  import.meta.env.VITE_SUPABASE_ANON_KEY\n);\n",[92,146,144],{"__ignoreMap":94},[30,148,150],{"id":149},"best-practice-3-add-authentication-to-protected-routes-10-min","Best Practice 3: Add Authentication to Protected Routes 10 min",[13,152,153],{},"Bolt generates pages but may not protect them. Add route guards for authenticated content:",[81,155,157],{"label":156},"React route protection example",[85,158,161],{"className":159,"code":160,"language":90},[88],"function ProtectedRoute({ children }) {\n  const { user, loading } = useAuth();\n\n  if (loading) {\n    return \u003Cdiv>Loading...\u003C/div>;\n  }\n\n  if (!user) {\n    return \u003CNavigate to=\"/login\" replace />;\n  }\n\n  return children;\n}\n\n// Usage in your router\n\u003CRoute\n  path=\"/dashboard\"\n  element={\n    \u003CProtectedRoute>\n      \u003CDashboard />\n    \u003C/ProtectedRoute>\n  }\n/>\n",[92,162,160],{"__ignoreMap":94},[30,164,166],{"id":165},"best-practice-4-validate-all-user-input-10-min-per-form","Best Practice 4: Validate All User Input 10 min per form",[13,168,169],{},"Bolt-generated forms often lack validation. Add both client and server-side validation:",[81,171,173],{"label":172},"Input validation with Zod",[85,174,177],{"className":175,"code":176,"language":90},[88],"import { z } from 'zod';\n\nconst userSchema = z.object({\n  email: z.string().email('Invalid email'),\n  name: z.string().min(2, 'Name too short').max(100),\n  age: z.number().min(13).max(120).optional(),\n});\n\nfunction handleSubmit(data) {\n  const result = userSchema.safeParse(data);\n  if (!result.success) {\n    // Handle validation errors\n    console.error(result.error.issues);\n    return;\n  }\n  // Proceed with validated data\n  saveUser(result.data);\n}\n",[92,178,176],{"__ignoreMap":94},[30,180,182],{"id":181},"best-practice-5-review-api-endpoints-5-min-per-endpoint","Best Practice 5: Review API Endpoints 5 min per endpoint",[13,184,185],{},"If Bolt generated API routes or Edge Functions, review each one:",[187,188,189,205],"table",{},[190,191,192],"thead",{},[193,194,195,199,202],"tr",{},[196,197,198],"th",{},"Check",[196,200,201],{},"What to Look For",[196,203,204],{},"Fix",[206,207,208,220,231,242,253],"tbody",{},[193,209,210,214,217],{},[211,212,213],"td",{},"Authentication",[211,215,216],{},"Is user verified before action?",[211,218,219],{},"Add auth middleware",[193,221,222,225,228],{},[211,223,224],{},"Authorization",[211,226,227],{},"Can user access this resource?",[211,229,230],{},"Check ownership/permissions",[193,232,233,236,239],{},[211,234,235],{},"Input validation",[211,237,238],{},"Is input sanitized?",[211,240,241],{},"Add schema validation",[193,243,244,247,250],{},[211,245,246],{},"Rate limiting",[211,248,249],{},"Can endpoint be abused?",[211,251,252],{},"Add rate limits",[193,254,255,258,261],{},[211,256,257],{},"Error handling",[211,259,260],{},"Do errors leak info?",[211,262,263],{},"Return generic messages",[30,265,267],{"id":266},"best-practice-6-secure-your-deployment-10-min","Best Practice 6: Secure Your Deployment 10 min",[13,269,270],{},"When deploying Bolt apps, configure security settings on your hosting platform:",[57,272,274],{"id":273},"vercel-security-settings","Vercel Security Settings",[112,276,277,280,283,286],{},[65,278,279],{},"Add environment variables in project settings (not in code)",[65,281,282],{},"Enable password protection for preview deployments",[65,284,285],{},"Configure security headers in vercel.json",[65,287,288],{},"Set up deployment protection for production",[81,290,292],{"label":291},"vercel.json security headers",[85,293,296],{"className":294,"code":295,"language":90},[88],"{\n  \"headers\": [\n    {\n      \"source\": \"/(.*)\",\n      \"headers\": [\n        { \"key\": \"X-Content-Type-Options\", \"value\": \"nosniff\" },\n        { \"key\": \"X-Frame-Options\", \"value\": \"DENY\" },\n        { \"key\": \"X-XSS-Protection\", \"value\": \"1; mode=block\" },\n        { \"key\": \"Referrer-Policy\", \"value\": \"strict-origin-when-cross-origin\" }\n      ]\n    }\n  ]\n}\n",[92,297,295],{"__ignoreMap":94},[30,299,301],{"id":300},"best-practice-7-test-before-sharing-15-min","Best Practice 7: Test Before Sharing 15 min",[13,303,304],{},"Before sharing your Bolt app URL with anyone:",[107,306,308],{"id":307},"pre-launch-security-checklist","Pre-launch security checklist:",[112,310,311,314,317,320,323,326],{},[65,312,313],{},"Test login/logout flow works correctly",[65,315,316],{},"Try accessing protected pages while logged out",[65,318,319],{},"Check browser console for exposed secrets",[65,321,322],{},"Verify RLS by testing API calls with different users",[65,324,325],{},"Test form validation with malicious input",[65,327,328],{},"Check that error messages do not leak sensitive details",[30,330,332],{"id":331},"best-practice-8-monitor-your-application-ongoing","Best Practice 8: Monitor Your Application Ongoing",[13,334,335],{},"After launching, set up basic monitoring:",[112,337,338,344,350,356],{},[65,339,340,343],{},[16,341,342],{},"Supabase Dashboard:"," Monitor API requests and database usage",[65,345,346,349],{},[16,347,348],{},"Vercel Analytics:"," Track errors and performance",[65,351,352,355],{},[16,353,354],{},"Error tracking:"," Consider adding Sentry for error reporting",[65,357,358,361],{},[16,359,360],{},"Alerts:"," Set up alerts for unusual activity patterns",[363,364,365],"info-box",{},[13,366,367,370],{},[16,368,369],{},"Pro tip:"," Supabase provides database logs that show all queries. Review these regularly to spot unusual access patterns that might indicate a security issue.",[30,372,374],{"id":373},"common-boltnew-security-mistakes","Common Bolt.new Security Mistakes",[187,376,377,390],{},[190,378,379],{},[193,380,381,384,387],{},[196,382,383],{},"Mistake",[196,385,386],{},"Impact",[196,388,389],{},"Prevention",[206,391,392,403,414,425,436],{},[193,393,394,397,400],{},[211,395,396],{},"Sharing app URL before securing",[211,398,399],{},"Anyone can access your data",[211,401,402],{},"Complete security checklist first",[193,404,405,408,411],{},[211,406,407],{},"Leaving RLS disabled",[211,409,410],{},"Full database exposure",[211,412,413],{},"Enable RLS before any deployment",[193,415,416,419,422],{},[211,417,418],{},"Using anon key for admin operations",[211,420,421],{},"Privilege escalation possible",[211,423,424],{},"Use service role only server-side",[193,426,427,430,433],{},[211,428,429],{},"No input validation",[211,431,432],{},"XSS, injection attacks",[211,434,435],{},"Validate all inputs with Zod",[193,437,438,441,444],{},[211,439,440],{},"Exposing error details",[211,442,443],{},"Information disclosure",[211,445,446],{},"Use generic error messages",[363,448,449],{},[13,450,451,454,455,462,463,468,469,474],{},[16,452,453],{},"Official Resources:"," For the latest information, see ",[456,457,461],"a",{"href":458,"rel":459},"https://bolt.new",[460],"nofollow","Bolt.new",", ",[456,464,467],{"href":465,"rel":466},"https://supabase.com/docs/guides/auth/row-level-security",[460],"Supabase RLS Documentation",", and ",[456,470,473],{"href":471,"rel":472},"https://vercel.com/docs/security",[460],"Vercel Security Documentation",".",[476,477,478,485,491,497],"faq-section",{},[479,480,482],"faq-item",{"question":481},"Are Bolt.new apps secure by default?",[13,483,484],{},"No. Bolt generates functional code but security features like RLS policies, input validation, and proper authentication guards need to be added manually. Always review and secure generated code before deployment.",[479,486,488],{"question":487},"Is it safe to share my Bolt app URL?",[13,489,490],{},"Only after completing security setup. Before sharing, enable RLS on all tables, move secrets to environment variables, add authentication to protected routes, and test thoroughly. An unsecured Bolt app URL is a security risk.",[479,492,494],{"question":493},"How do I know if my Bolt app has security issues?",[13,495,496],{},"Run a security scan with CheckYourVibe, manually test authentication and authorization, check your Supabase dashboard for RLS status, and review your code for hardcoded secrets. Common signs include exposed API keys in browser console and accessible data without login.",[479,498,500],{"question":499},"Can I use Bolt.new for production apps?",[13,501,502],{},"Yes, but treat Bolt output as a starting point, not a finished product. Add proper security controls, thoroughly test, and consider having the code reviewed before handling real user data or payments.",[30,504,506],{"id":505},"further-reading","Further Reading",[13,508,509],{},"Put these practices into action with our step-by-step guides.",[112,511,512,518,524],{},[65,513,514],{},[456,515,517],{"href":516},"/blog/how-to/add-security-headers","Add security headers to your app",[65,519,520],{},[456,521,523],{"href":522},"/blog/checklists/pre-deployment-security-checklist","Pre-deployment security checklist",[65,525,526],{},[456,527,529],{"href":528},"/blog/getting-started/first-scan","Run your first security scan",[531,532,533,539,544],"related-articles",{},[534,535],"related-card",{"description":536,"href":537,"title":538},"Complete security guide for Bolt","/blog/guides/bolt","Bolt.new Security Guide",[534,540],{"description":541,"href":542,"title":543},"Pre-launch checklist","/blog/checklists/bolt-security-checklist","Bolt Security Checklist",[534,545],{"description":546,"href":547,"title":548},"Secure your Bolt backend","/blog/best-practices/supabase","Supabase Best Practices",[550,551,554,558],"cta-box",{"href":552,"label":553},"/","Start Free Scan",[30,555,557],{"id":556},"secure-your-bolt-app","Secure Your Bolt App",[13,559,560],{},"Scan your Bolt.new project for security issues before going live.",{"title":94,"searchDepth":562,"depth":562,"links":563},2,[564,565,569,572,573,574,575,578,579,580,581,582],{"id":32,"depth":562,"text":33},{"id":42,"depth":562,"text":43,"children":566},[567],{"id":59,"depth":568,"text":60},3,{"id":97,"depth":562,"text":98,"children":570},[571],{"id":104,"depth":568,"text":105},{"id":149,"depth":562,"text":150},{"id":165,"depth":562,"text":166},{"id":181,"depth":562,"text":182},{"id":266,"depth":562,"text":267,"children":576},[577],{"id":273,"depth":568,"text":274},{"id":300,"depth":562,"text":301},{"id":331,"depth":562,"text":332},{"id":373,"depth":562,"text":374},{"id":505,"depth":562,"text":506},{"id":556,"depth":562,"text":557},"best-practices","2026-01-21","2026-02-10","Security best practices for Bolt.new development. Learn to secure your AI-generated full-stack apps before deployment with proven patterns and checklists.",false,"md",[590,591,592,593],{"question":481,"answer":484},{"question":487,"answer":490},{"question":493,"answer":496},{"question":499,"answer":502},"bolt-orange",null,{},true,"Essential security practices for Bolt.new apps. Protect your users and data from day one.","/blog/best-practices/bolt","14 min read","[object Object]","Article",{"title":5,"description":586},{"loc":599},"blog/best-practices/bolt",[],"summary_large_image","MgdaQdLdTnNHwpXc06gIaOKHVqwQxujcCrginvMP5KY",1775843926265]