[{"data":1,"prerenderedAt":218},["ShallowReactive",2],{"blog-checklists/bolt-security-checklist":3},{"id":4,"title":5,"body":6,"category":193,"date":194,"dateModified":194,"description":195,"draft":196,"extension":197,"faq":198,"featured":196,"headerVariant":203,"image":204,"keywords":204,"meta":205,"navigation":206,"ogDescription":207,"ogTitle":204,"path":208,"readTime":204,"schemaOrg":209,"schemaType":210,"seo":211,"sitemap":212,"stem":213,"tags":214,"twitterCard":216,"__hash__":217},"blog/blog/checklists/bolt-security-checklist.md","Bolt.new Security Checklist: 15-Item Guide Before Deploying",{"type":7,"value":8,"toc":187},"minimark",[9,16,19,22,47,69,88,103,118,123,126,129,151,175],[10,11,12],"tldr",{},[13,14,15],"p",{},"This 15-item checklist covers the most common security issues in Bolt.new-generated apps: exposed API keys, missing Supabase RLS, and frontend-only authentication. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can.",[13,17,18],{},"Bolt makes it ridiculously easy to go from idea to deployed app. That speed is also what makes it risky -- the generated code prioritizes getting things working, not locking them down. Spend 45 minutes with this checklist before you share that deploy link with anyone.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Look for sk_, pk_, api_key, SUPABASE_KEY in your code","Search for hardcoded API keys",[27,32],{"description":33,"label":34},"Tables without RLS are publicly accessible","Enable RLS on all Supabase tables",[27,36],{"description":37,"label":38},"The service_role key bypasses all RLS - must never be in frontend","Verify service role key is not exposed",[27,40],{"description":41,"label":42},"Check before pushing to GitHub","Verify .env is in .gitignore",[27,44],{"description":45,"label":46},"Try accessing /dashboard directly in an incognito window","Test protected routes without login",[23,48,51,54,58,61,65],{"title":49,"count":50},"API Keys & Secrets","5",[27,52],{"description":53,"label":30},"Look for sk_, pk_, api_key, apiKey, secret, password, SUPABASE_KEY in your code. How to secure API keys",[27,55],{"description":56,"label":57},"Open your app, refresh, and verify no secret keys appear in request headers or bodies. How to inspect network requests","Check browser DevTools Network tab",[27,59],{"description":60,"label":42},"Bolt generates .env files that must not be committed to your repository. How to secure .env files",[27,62],{"description":63,"label":64},"Set environment variables in Vercel, Netlify, or your host instead of .env files. How to configure env variables","Move secrets to deployment platform",[27,66],{"description":67,"label":68},"Only anon/public keys should be in frontend code. Service keys belong on the server. How to separate client/server keys","Verify public vs private key usage",[23,70,73,77,81,85],{"title":71,"count":72},"Supabase Security","4",[27,74],{"description":75,"label":76},"Go to Supabase Dashboard > Authentication > Policies and verify RLS is ON for every table. How to set up Supabase RLS","Enable RLS on all tables",[27,78],{"description":79,"label":80},"Tables with RLS enabled but no policies block all access. Add appropriate SELECT, INSERT, UPDATE, DELETE policies. How to write RLS policies","Write RLS policies for each table",[27,82],{"description":83,"label":84},"Log in as User A and try to access User B's data by changing IDs in the URL or requests. How to test data isolation","Test data isolation",[27,86],{"description":87,"label":38},"The service_role key bypasses RLS. It must never appear in frontend code. How to protect service role key",[23,89,92,95,99],{"title":90,"count":91},"Authentication","3",[27,93],{"description":94,"label":46},"Try accessing /dashboard, /account, or other protected pages directly without logging in. How to test protected routes",[27,96],{"description":97,"label":98},"Frontend route protection is not enough. API routes and database queries must verify the user. How to implement server-side auth","Verify server-side auth checks",[27,100],{"description":101,"label":102},"Sessions should expire after a reasonable time. Logout should clear all tokens. How to configure sessions","Check session expiration",[23,104,106,110,114],{"title":105,"count":91},"Input & Output",[27,107],{"description":108,"label":109},"Enter \u003Cscript>alert('xss')\u003C/script> in text fields and verify it does not execute. How to prevent XSS","Test forms with malicious input",[27,111],{"description":112,"label":113},"Never trust client-side validation alone. Always validate on backend or database level. How to validate on server","Validate input on the server",[27,115],{"description":116,"label":117},"Validate file types, limit sizes, and ensure storage bucket policies are set correctly. How to secure file uploads","Check file uploads (if applicable)",[119,120,122],"h2",{"id":121},"why-boltnew-apps-need-extra-review","Why Bolt.new Apps Need Extra Review",[13,124,125],{},"Bolt.new is excellent for rapid prototyping and building functional apps quickly. However, the speed comes with tradeoffs. AI-generated code prioritizes getting things working over security hardening. According to a 2025 Stanford study, 40% of AI-generated code samples contained at least one security vulnerability.",[13,127,128],{},"The most common issues in Bolt.new apps are exposed Supabase service keys (which bypass Row Level Security entirely), missing RLS policies, and frontend-only authentication that can be bypassed with browser DevTools.",[130,131,132,139,145],"faq-section",{},[133,134,136],"faq-item",{"question":135},"What should I check before deploying a Bolt.new app?",[13,137,138],{},"Before deploying a Bolt.new app, check for hardcoded API keys, verify Supabase RLS is enabled on all tables, ensure authentication is implemented on both frontend and backend, test database access controls, and validate user inputs. Run through this complete checklist to catch the most common issues.",[133,140,142],{"question":141},"Is Bolt.new secure for production apps?",[13,143,144],{},"Bolt.new generates functional code quickly, but it requires security review before production. The platform itself is secure, but the generated code may have vulnerabilities like exposed API keys, missing database security rules, and frontend-only authentication. Use this checklist and consider an automated security scan.",[133,146,148],{"question":147},"How do I fix Supabase RLS issues in Bolt apps?",[13,149,150],{},"Go to your Supabase Dashboard, navigate to Authentication > Policies, and verify RLS is enabled for every table. Then add appropriate policies. For user-owned data, use policies like: CREATE POLICY \"Users can view own data\" ON table_name FOR SELECT USING (auth.uid() = user_id).",[152,153,154,160,165,170],"related-articles",{},[155,156],"related-card",{"description":157,"href":158,"title":159},"Complete security guide for Bolt.new apps","/blog/guides/bolt","Bolt.new Security Guide",[155,161],{"description":162,"href":163,"title":164},"RLS and database security checklist","/blog/checklists/supabase-security-checklist","Supabase Security Checklist",[155,166],{"description":167,"href":168,"title":169},"Step-by-step guide to Row Level Security","/blog/how-to/setup-supabase-rls","How to Set Up Supabase RLS",[155,171],{"description":172,"href":173,"title":174},"Security checklist for Cursor projects","/blog/checklists/cursor-security-checklist","Cursor Security Checklist",[176,177,180,184],"cta-box",{"href":178,"label":179},"/","Start Free Scan",[119,181,183],{"id":182},"automate-this-checklist","Automate This Checklist",[13,185,186],{},"Our scanner checks all these items automatically and catches issues you might miss.",{"title":188,"searchDepth":189,"depth":189,"links":190},"",2,[191,192],{"id":121,"depth":189,"text":122},{"id":182,"depth":189,"text":183},"checklists","2026-01-26","Printable 15-item security checklist for Bolt.new apps. Critical items to check before deploying your AI-generated application to production.",false,"md",[199,201],{"question":135,"answer":200},"Before deploying a Bolt.new app, check for hardcoded API keys, verify Supabase RLS is enabled on all tables, ensure authentication is implemented on both frontend and backend, test database access controls, and validate user inputs.",{"question":141,"answer":202},"Bolt.new generates functional code quickly, but it requires security review before production. Common issues include exposed API keys, missing database security rules, and frontend-only authentication. Use this checklist to catch these issues.","green",null,{},true,"Printable security checklist for Bolt.new apps. 15 items to check before deploying.","/blog/checklists/bolt-security-checklist","[object Object]","HowTo",{"title":5,"description":195},{"loc":208},"blog/checklists/bolt-security-checklist",[215],"Security Checklist","summary_large_image","oAiMrhtvaI71blQlVKbdI2DLHrtD4vZejMcZUNGfAaI",1775843931686]