[{"data":1,"prerenderedAt":508},["ShallowReactive",2],{"blog-guides/bolt":3},{"id":4,"title":5,"body":6,"category":487,"date":488,"dateModified":489,"description":490,"draft":491,"extension":492,"faq":493,"featured":491,"headerVariant":494,"image":493,"keywords":493,"meta":495,"navigation":496,"ogDescription":497,"ogTitle":493,"path":498,"readTime":499,"schemaOrg":500,"schemaType":501,"seo":502,"sitemap":503,"stem":504,"tags":505,"twitterCard":506,"__hash__":507},"blog/blog/guides/bolt.md","Bolt.new Security Guide: Protecting Full-Stack AI Apps",{"type":7,"value":8,"toc":470},"minimark",[9,16,21,24,53,56,60,65,68,83,92,126,130,133,142,145,154,158,161,170,179,183,188,191,194,197,200,204,207,210,213,216,220,223,226,229,232,236,239,242,245,248,252,255,264,268,277,281,371,375,378,411,439,458],[10,11,12],"tldr",{},[13,14,15],"p",{},"Bolt.new creates full-stack applications from prompts, often including databases. The biggest risks are hardcoded API keys, missing database security (especially if using Supabase without RLS), and unprotected API endpoints. Before deploying, review all environment variables, enable Row Level Security on any database, and add authentication to routes that need it.",[17,18,20],"h2",{"id":19},"understanding-boltnews-architecture","Understanding Bolt.new's Architecture",[13,22,23],{},"Bolt.new generates complete applications that typically include:",[25,26,27,35,41,47],"ul",{},[28,29,30,34],"li",{},[31,32,33],"strong",{},"Frontend:"," React or similar framework",[28,36,37,40],{},[31,38,39],{},"Backend:"," API routes or serverless functions",[28,42,43,46],{},[31,44,45],{},"Database:"," Often Supabase, Firebase, or similar",[28,48,49,52],{},[31,50,51],{},"Hosting:"," Can deploy to various platforms",[13,54,55],{},"This full-stack approach means security concerns span multiple layers. Each component needs attention.",[17,57,59],{"id":58},"the-most-common-boltnew-security-issues","The Most Common Bolt.new Security Issues",[61,62,64],"h3",{"id":63},"_1-hardcoded-api-keys","1. Hardcoded API Keys",[13,66,67],{},"Bolt often generates code with placeholder or example API keys that need replacement:",[69,70,72],"code-block",{"label":71},"Check your code for patterns like this",[73,74,79],"pre",{"className":75,"code":77,"language":78},[76],"language-text","// DANGEROUS: Hardcoded keys\nconst supabase = createClient(\n  'https://xxxxx.supabase.co',\n  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'  // Hardcoded!\n);\n\nconst stripe = new Stripe('sk_test_abc123...');  // In code!\nconst openai = new OpenAI({ apiKey: 'sk-...' }); // Exposed!\n","text",[80,81,77],"code",{"__ignoreMap":82},"",[69,84,86],{"label":85},"Fix: Use environment variables",[73,87,90],{"className":88,"code":89,"language":78},[76],"// SAFE: Environment variables\nconst supabase = createClient(\n  process.env.SUPABASE_URL,\n  process.env.SUPABASE_ANON_KEY\n);\n\nconst stripe = new Stripe(process.env.STRIPE_SECRET_KEY);\nconst openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });\n",[80,91,89],{"__ignoreMap":82},[93,94,95],"danger-box",{},[13,96,97,100,101,104,105,104,108,111,112,104,115,104,118,121,122,125],{},[31,98,99],{},"Search your entire codebase"," for strings starting with ",[80,102,103],{},"sk_",", ",[80,106,107],{},"pk_",[80,109,110],{},"api_",", or containing ",[80,113,114],{},"key",[80,116,117],{},"secret",[80,119,120],{},"token",", or ",[80,123,124],{},"password",".",[61,127,129],{"id":128},"_2-missing-database-security-supabase-rls","2. Missing Database Security (Supabase RLS)",[13,131,132],{},"If Bolt connects your app to Supabase, check if Row Level Security (RLS) is enabled:",[69,134,136],{"label":135},"Check RLS status in Supabase",[73,137,140],{"className":138,"code":139,"language":78},[76],"-- Run this in Supabase SQL Editor\nSELECT tablename, rowsecurity\nFROM pg_tables\nWHERE schemaname = 'public';\n\n-- If rowsecurity is 'f' for any table, RLS is disabled!\n",[80,141,139],{"__ignoreMap":82},[13,143,144],{},"Without RLS, anyone with your Supabase anon key (which is public) can read, modify, or delete all data.",[69,146,148],{"label":147},"Basic RLS policy example",[73,149,152],{"className":150,"code":151,"language":78},[76],"-- Enable RLS\nALTER TABLE posts ENABLE ROW LEVEL SECURITY;\n\n-- Users can only see their own posts\nCREATE POLICY \"Users see own posts\" ON posts\n  FOR SELECT USING (auth.uid() = user_id);\n\n-- Users can only modify their own posts\nCREATE POLICY \"Users modify own posts\" ON posts\n  FOR ALL USING (auth.uid() = user_id);\n",[80,153,151],{"__ignoreMap":82},[61,155,157],{"id":156},"_3-unprotected-api-endpoints","3. Unprotected API Endpoints",[13,159,160],{},"Bolt generates functional endpoints, but they often lack authentication:",[69,162,164],{"label":163},"Vulnerable: No auth check",[73,165,168],{"className":166,"code":167,"language":78},[76],"// Anyone can call this endpoint!\napp.post('/api/admin/delete-user', async (req, res) => {\n  await db.deleteUser(req.body.userId);\n  res.json({ success: true });\n});\n",[80,169,167],{"__ignoreMap":82},[69,171,173],{"label":172},"Fixed: With authentication",[73,174,177],{"className":175,"code":176,"language":78},[76],"app.post('/api/admin/delete-user', async (req, res) => {\n  // Check if user is authenticated\n  const session = await getSession(req);\n  if (!session) {\n    return res.status(401).json({ error: 'Unauthorized' });\n  }\n\n  // Check if user is an admin\n  if (session.user.role !== 'admin') {\n    return res.status(403).json({ error: 'Forbidden' });\n  }\n\n  await db.deleteUser(req.body.userId);\n  res.json({ success: true });\n});\n",[80,178,176],{"__ignoreMap":82},[17,180,182],{"id":181},"security-review-process-for-bolt-apps","Security Review Process for Bolt Apps",[184,185,187],"h4",{"id":186},"step-1-secrets-audit","Step 1: Secrets Audit",[13,189,190],{},"Search codebase for hardcoded API keys",[13,192,193],{},"Check all files for strings containing \"key\", \"secret\", \"token\"",[13,195,196],{},"Verify .env file exists and is in .gitignore",[13,198,199],{},"Move all secrets to environment variables",[184,201,203],{"id":202},"step-2-database-security","Step 2: Database Security",[13,205,206],{},"Identify which database Bolt connected",[13,208,209],{},"Enable RLS on all Supabase tables",[13,211,212],{},"Create appropriate access policies",[13,214,215],{},"Test that users can't access others' data",[184,217,219],{"id":218},"step-3-api-endpoints","Step 3: API Endpoints",[13,221,222],{},"List all API routes in the project",[13,224,225],{},"Add authentication to protected routes",[13,227,228],{},"Add authorization checks (user can do this action?)",[13,230,231],{},"Validate all input data",[184,233,235],{"id":234},"step-4-frontend-security","Step 4: Frontend Security",[13,237,238],{},"No secrets in frontend code",[13,240,241],{},"Proper CORS configuration",[13,243,244],{},"User input is sanitized",[13,246,247],{},"External links have rel=\"noopener noreferrer\"",[17,249,251],{"id":250},"prompting-bolt-for-secure-code","Prompting Bolt for Secure Code",[13,253,254],{},"You can get better security from Bolt by being explicit in your prompts:",[69,256,258],{"label":257},"Security-focused prompts",[73,259,262],{"className":260,"code":261,"language":78},[76],"// Instead of: \"Build a todo app with user accounts\"\n// Try:\n\n\"Build a todo app with:\n- User authentication (email/password)\n- Each user can only see and edit their own todos\n- Use environment variables for all API keys\n- Enable Row Level Security on the database\n- Validate all input on the server\n- Rate limit the API endpoints\"\n",[80,263,261],{"__ignoreMap":82},[61,265,267],{"id":266},"follow-up-security-prompts","Follow-up Security Prompts",[69,269,271],{"label":270},"Ask Bolt to improve security",[73,272,275],{"className":273,"code":274,"language":78},[76],"// After generating the app, ask:\n\n\"Review this code for security issues and fix:\n1. Any hardcoded API keys or secrets\n2. Missing authentication on API routes\n3. Missing database RLS policies\n4. Missing input validation\n5. XSS vulnerabilities\"\n",[80,276,274],{"__ignoreMap":82},[17,278,280],{"id":279},"boltnew-vs-other-full-stack-ai-tools","Bolt.new vs Other Full-Stack AI Tools",[282,283,284,303],"table",{},[285,286,287],"thead",{},[288,289,290,294,297,300],"tr",{},[291,292,293],"th",{},"Aspect",[291,295,296],{},"Bolt.new",[291,298,299],{},"Lovable",[291,301,302],{},"Replit",[304,305,306,319,333,346,359],"tbody",{},[288,307,308,312,315,317],{},[309,310,311],"td",{},"Full-stack generation",[309,313,314],{},"Yes",[309,316,314],{},[309,318,314],{},[288,320,321,324,327,330],{},[309,322,323],{},"Default database",[309,325,326],{},"Varies (often Supabase)",[309,328,329],{},"Supabase",[309,331,332],{},"Replit DB",[288,334,335,338,341,343],{},[309,336,337],{},"RLS auto-enabled",[309,339,340],{},"Not always",[309,342,340],{},[309,344,345],{},"N/A",[288,347,348,351,354,356],{},[309,349,350],{},"Secrets handling",[309,352,353],{},"May hardcode",[309,355,353],{},[309,357,358],{},"Secrets panel",[288,360,361,364,367,369],{},[309,362,363],{},"Auth included",[309,365,366],{},"If requested",[309,368,366],{},[309,370,366],{},[17,372,374],{"id":373},"exporting-and-deploying-bolt-apps","Exporting and Deploying Bolt Apps",[13,376,377],{},"When exporting your Bolt app for deployment:",[379,380,381,387,393,399,405],"ol",{},[28,382,383,386],{},[31,384,385],{},"Before export:"," Review all code for secrets",[28,388,389,392],{},[31,390,391],{},"Create .env.example:"," Document required environment variables",[28,394,395,398],{},[31,396,397],{},"Set up hosting secrets:"," Add environment variables to your hosting platform",[28,400,401,404],{},[31,402,403],{},"Test in staging:"," Deploy to a test environment first",[28,406,407,410],{},[31,408,409],{},"Security scan:"," Run a security check before production",[412,413,414,421,427,433],"faq-section",{},[415,416,418],"faq-item",{"question":417},"Does Bolt.new generate secure code?",[13,419,420],{},"Bolt generates functional code that often needs security hardening. Common issues include hardcoded API keys, missing database security policies, and unprotected API endpoints. Always review generated code before deploying.",[415,422,424],{"question":423},"Is my code stored on Bolt.new's servers?",[13,425,426],{},"While you're using Bolt, your code is processed on their platform. Review their privacy policy for data retention details. Export your code and store it in your own repository for long-term projects.",[415,428,430],{"question":429},"Can I deploy a Bolt app safely?",[13,431,432],{},"Yes, but you need to review and secure the code first. Check for hardcoded secrets, enable database security, add authentication where needed, and test thoroughly. Don't deploy directly without review.",[415,434,436],{"question":435},"What's the fastest way to secure a Bolt app?",[13,437,438],{},"Run a security scan, move all secrets to environment variables, enable RLS on your database, and add authentication to your API routes. These four steps address the most common vulnerabilities.",[440,441,442,448,453],"related-articles",{},[443,444],"related-card",{"description":445,"href":446,"title":447},"Complete pre-launch checklist","/blog/checklists/bolt-security-checklist","Bolt Security Checklist",[443,449],{"description":450,"href":451,"title":452},"Full security analysis","/blog/is-safe/bolt","Is Bolt.new Safe?",[443,454],{"description":455,"href":456,"title":457},"Database security for Bolt apps","/blog/guides/supabase","Supabase Security Guide",[459,460,463,467],"cta-box",{"href":461,"label":462},"/","Start Free Scan",[17,464,466],{"id":465},"built-with-boltnew","Built with Bolt.new?",[13,468,469],{},"Scan your project for security vulnerabilities before deploying.",{"title":82,"searchDepth":471,"depth":471,"links":472},2,[473,474,480,481,484,485,486],{"id":19,"depth":471,"text":20},{"id":58,"depth":471,"text":59,"children":475},[476,478,479],{"id":63,"depth":477,"text":64},3,{"id":128,"depth":477,"text":129},{"id":156,"depth":477,"text":157},{"id":181,"depth":471,"text":182},{"id":250,"depth":471,"text":251,"children":482},[483],{"id":266,"depth":477,"text":267},{"id":279,"depth":471,"text":280},{"id":373,"depth":471,"text":374},{"id":465,"depth":471,"text":466},"guides","2026-01-14","2026-01-21","Complete security guide for Bolt.new. Learn to secure AI-generated full-stack applications, protect database credentials, and deploy safely.",false,"md",null,"blue",{},true,"How to secure applications built with Bolt.new for production deployment.","/blog/guides/bolt","11 min read","[object Object]","Article",{"title":5,"description":490},{"loc":498},"blog/guides/bolt",[],"summary_large_image","0ZxQe-NqlEE29qVoD6D6IuFksXYHsI2mPABzIwW6-TA",1775843918547]