[{"data":1,"prerenderedAt":202},["ShallowReactive",2],{"blog-blueprints/bolt-netlify":3},{"id":4,"title":5,"body":6,"category":181,"date":182,"dateModified":183,"description":184,"draft":185,"extension":186,"faq":187,"featured":185,"headerVariant":188,"image":187,"keywords":187,"meta":189,"navigation":190,"ogDescription":191,"ogTitle":187,"path":192,"readTime":193,"schemaOrg":194,"schemaType":195,"seo":196,"sitemap":197,"stem":198,"tags":199,"twitterCard":200,"__hash__":201},"blog/blog/blueprints/bolt-netlify.md","Bolt.new + Netlify Security Blueprint",{"type":7,"value":8,"toc":170},"minimark",[9,20,24,30,35,50,54,63,80,84,93,97,102,105,108,111,114,117,120,134,144,158],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Bolt.new + Netlify stack,"," you need to: (1) configure security headers via _headers file or netlify.toml, (2) store all secrets in Netlify environment variables rather than code, (3) implement authentication in Netlify Functions for server-side operations, and (4) ensure service keys are only accessible from Functions, not client code. This blueprint covers deployment security specific to Netlify hosting.",[21,22],"blueprint-meta",{"time":23},"1-2 hours",[25,26,27],"tldr",{},[13,28,29],{},"Deploying Bolt exports to Netlify requires configuration through netlify.toml or _headers files. Key tasks: configure environment variables in Netlify dashboard, add security headers, secure Netlify Functions for server-side operations, and scope deploy preview access appropriately.",[31,32,34],"h2",{"id":33},"part-1-netlify-security-headers","Part 1: Netlify Security Headers",[36,37,39],"code-block",{"label":38},"public/_headers",[40,41,46],"pre",{"className":42,"code":44,"language":45},[43],"language-text","/*\n X-Frame-Options: DENY\n X-Content-Type-Options: nosniff\n Referrer-Policy: strict-origin-when-cross-origin\n Permissions-Policy: camera=(), microphone=(), geolocation=()\n","text",[47,48,44],"code",{"__ignoreMap":49},"",[31,51,53],{"id":52},"part-2-netlify-environment-variables","Part 2: Netlify Environment Variables",[36,55,57],{"label":56},"Configure in Netlify Dashboard",[40,58,61],{"className":59,"code":60,"language":45},[43],"# Public (use framework prefix: VITE_, REACT_APP_)\nVITE_SUPABASE_URL=https://xxx.supabase.co\nVITE_SUPABASE_ANON_KEY=eyJ...\n\n# Private (Netlify Functions only)\nSUPABASE_SERVICE_ROLE_KEY=eyJ...\nDATABASE_URL=postgres://...\n",[47,62,60],{"__ignoreMap":49},[64,65,66],"warning-box",{},[13,67,68,71,72,75,76,79],{},[16,69,70],{},"Framework prefixes:"," Vite uses ",[47,73,74],{},"VITE_",", Create React App uses ",[47,77,78],{},"REACT_APP_",". Only prefixed variables are exposed to the client.",[31,81,83],{"id":82},"part-3-netlify-functions","Part 3: Netlify Functions",[36,85,87],{"label":86},"netlify/functions/protected.ts",[40,88,91],{"className":89,"code":90,"language":45},[43],"import { Handler } from '@netlify/functions';\nimport { createClient } from '@supabase/supabase-js';\n\nconst supabase = createClient(\n process.env.VITE_SUPABASE_URL!,\n process.env.SUPABASE_SERVICE_ROLE_KEY!\n);\n\nexport const handler: Handler = async (event) => {\n const authHeader = event.headers.authorization;\n\n if (!authHeader) {\n return { statusCode: 401, body: 'Unauthorized' };\n }\n\n const { data: { user }, error } = await supabase.auth.getUser(\n authHeader.replace('Bearer ', '')\n );\n\n if (error || !user) {\n return { statusCode: 401, body: 'Invalid token' };\n }\n\n return { statusCode: 200, body: JSON.stringify({ userId: user.id }) };\n};\n",[47,92,90],{"__ignoreMap":49},[31,94,96],{"id":95},"security-checklist","Security Checklist",[98,99,101],"h4",{"id":100},"netlify-deployment-checklist","Netlify Deployment Checklist",[13,103,104],{},"Security headers in _headers or netlify.toml",[13,106,107],{},"Environment variables in Netlify dashboard",[13,109,110],{},"No hardcoded secrets in code",[13,112,113],{},"Netlify Functions authenticate requests",[13,115,116],{},"Service keys only in Functions",[13,118,119],{},".env files in .gitignore",[121,122,123,128],"stack-comparison",{},[124,125,127],"h3",{"id":126},"alternative-stacks-to-consider","Alternative Stacks to Consider",[40,129,132],{"className":130,"code":131,"language":45},[43]," **Bolt.new + Vercel**\n Alternative deployment platform\n\n\n **Bolt.new + Railway**\n Container-based deployment\n\n\n **Bolt.new + Supabase**\n Database security guide\n",[47,133,131],{"__ignoreMap":49},[135,136,137],"faq-section",{},[138,139,141],"faq-item",{"question":140},"Should I use _headers or netlify.toml?",[13,142,143],{},"Either works. Use _headers for simple configuration, netlify.toml if you're configuring build settings and functions together.",[145,146,147,153],"related-articles",{},[148,149],"related-card",{"description":150,"href":151,"title":152},"Alternative deployment","/blog/blueprints/bolt-vercel","Bolt + Vercel",[148,154],{"description":155,"href":156,"title":157},"Deep dive into Netlify","/blog/guides/netlify","Netlify Security Guide",[159,160,163,167],"cta-box",{"href":161,"label":162},"/","Start Free Scan",[31,164,166],{"id":165},"deploying-bolt-to-netlify","Deploying Bolt to Netlify?",[13,168,169],{},"Scan for configuration issues and exposed secrets.",{"title":49,"searchDepth":171,"depth":171,"links":172},2,[173,174,175,176,180],{"id":33,"depth":171,"text":34},{"id":52,"depth":171,"text":53},{"id":82,"depth":171,"text":83},{"id":95,"depth":171,"text":96,"children":177},[178],{"id":126,"depth":179,"text":127},3,{"id":165,"depth":171,"text":166},"blueprints","2026-01-28","2026-02-05","Security guide for deploying Bolt.new apps to Netlify. Configure environment variables, set up headers, secure Netlify Functions, and protect your deployment.",false,"md",null,"purple",{"noindex":190},true,"Complete security configuration for deploying Bolt.new apps to Netlify.","/blog/blueprints/bolt-netlify","8 min read","[object Object]","Article",{"title":5,"description":184},{"loc":192},"blog/blueprints/bolt-netlify",[],"summary_large_image","hc_DvWQtidlHm9rchzBV4aP6oAQiCtLSDfOHSNtfd64",1775843932874]