TL;DR
Bolt.new creates full-stack apps quickly, often with Supabase backends. The most critical security step is enabling Row Level Security (RLS) on your Supabase tables. Without it, anyone can read your entire database. Also check authentication flows, verify environment variables are properly configured, and scan before launching.
Bolt.new is an AI-powered platform that generates complete web applications in minutes. You describe what you want, and it creates a working app with frontend, backend, and database. It's remarkably powerful for rapid prototyping and launching MVPs.
The speed is impressive, but it comes with tradeoffs. Bolt optimizes for getting something working quickly, not for production security. This guide covers what you need to check and fix before taking your Bolt app live.
The #1 Security Issue: Missing RLS
Most Bolt.new applications use Supabase for their database. Supabase is excellent, but it requires you to set up Row Level Security (RLS) policies to control who can access what data.
Critical Warning: Without RLS enabled, anyone who knows your Supabase URL and anon key (which are visible in your frontend code) can read, modify, or delete ALL data in your database. This includes other users' data, passwords, payment information, and everything else you store.
How to Check if RLS is Enabled
- Go to your Supabase dashboard (app.supabase.com)
- Open your project
- Go to Table Editor
- Look at each table's settings
- RLS should show as "Enabled" with policies defined
How to Enable RLS
-- Enable RLS on the table
ALTER TABLE your_table_name ENABLE ROW LEVEL SECURITY;
-- Create a policy allowing users to see only their own data
CREATE POLICY "Users can view own data" ON your_table_name
FOR SELECT
USING (auth.uid() = user_id);
-- Create a policy allowing users to insert their own data
CREATE POLICY "Users can insert own data" ON your_table_name
FOR INSERT
WITH CHECK (auth.uid() = user_id);
Common Security Issues in Bolt Apps
| Issue | Likelihood | Fix |
|---|---|---|
| Missing RLS on Supabase | Very High | Enable RLS, create policies |
| Service role key in frontend | High | Use only anon key in frontend |
| Missing auth on routes | High | Add auth checks to protected pages |
| Weak password requirements | Medium | Configure Supabase auth settings |
| Missing email verification | Medium | Enable in Supabase auth settings |
Securing Authentication
Bolt typically sets up Supabase Authentication, which is solid when configured correctly. Here's what to verify:
Check Your Auth Configuration
- Email confirmation: Go to Supabase → Authentication → Providers → Email. Enable "Confirm email" for production.
- Password requirements: Set minimum password length (at least 8 characters).
- Rate limiting: Supabase includes rate limiting by default. Verify it's enabled.
Check Frontend Auth Guards
Make sure protected routes actually check for authentication:
// Check that protected pages verify the user is logged in
const { data: { user } } = await supabase.auth.getUser();
if (!user) {
// Redirect to login
redirect('/login');
}
Don't just hide elements from logged-out users. Actually prevent them from accessing protected functionality.
Environment Variables
Bolt apps need proper environment variable handling:
What's Safe in the Frontend
- Supabase URL: Safe (public by design)
- Supabase Anon Key: Safe (designed for frontend use with RLS)
What Must Stay Server-Side
- Supabase Service Role Key: Never expose this. It bypasses RLS.
- External API keys: OpenAI, Stripe secret keys, etc.
- Database connection strings: Keep on server only.
Deployment Security
Bolt can deploy to various platforms. Check these settings:
Environment Variables in Production
Add your Supabase credentials and other secrets as environment variables in your hosting platform, not in code:
- Vercel: Settings → Environment Variables
- Netlify: Site Settings → Environment Variables
Security Headers
Add security headers to your deployment configuration. For Vercel, add to vercel.json:
{
"headers": [
{
"source": "/(.*)",
"headers": [
{ "key": "X-Frame-Options", "value": "DENY" },
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }
]
}
]
}
Pre-Launch Checklist for Bolt Apps
- Enable RLS on all Supabase tables with user data
- Test RLS by trying to access other users' data
- Verify service role key is not in frontend code
- Enable email confirmation for new signups
- Add auth guards to all protected routes
- Move environment variables to hosting platform
- Add security headers
- Run an automated security scan
Is Bolt.new safe to use?
Bolt.new is safe as a development platform. However, the apps it generates may have security vulnerabilities, especially around database access (Supabase RLS) and authentication. The platform prioritizes rapid development over security hardening, so you need to review and secure the generated code before going to production.
What's the most critical security issue in Bolt.new apps?
Missing Row Level Security (RLS) on Supabase databases is the most critical issue. Bolt often generates apps with Supabase backends but doesn't always enable RLS policies. Without RLS, anyone with your Supabase URL and anon key can read all data in your database.
How do I secure my Bolt.new app before launching?
Enable Row Level Security on all Supabase tables, verify authentication is working on protected routes, check that no API keys are exposed in the frontend code, and run a security scan. These steps take about 30 minutes and address the most common vulnerabilities.