New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Bolt.new ships fast. Here's what it doesn't check.
Bolt.new lets you scaffold a working web app in minutes. The tradeoff: it optimizes for "running" over "hardened." Most Bolt-generated apps we audit leak at least one production credential, ship without a Content Security Policy, and trust user input that hits a database directly.
Get a graded security report for your Bolt.new app in under a minute.
Bolt.new often inlines OpenAI, Stripe, Supabase service-role, and third-party keys directly into the client bundle. CheckVibe scans every static asset for `sk_live_*`, `sk-...`, `AIza...`, JWT-shaped tokens, and 30+ other patterns.
If RLS is off, anyone with your `anon` key (which is public by design) can read your entire `users`, `messages`, or `orders` table. CheckVibe's Supabase scanner enumerates tables and flags missing policies.
Most Bolt apps ship with `Access-Control-Allow-Origin: *` and `Allow-Credentials: true`. That combination is invalid and indicates a misconfigured backend that can leak authenticated responses to attacker origins.
Without a Content Security Policy, a single XSS becomes a full account takeover. Without HSTS, your app is one network downgrade away from a man-in-the-middle. Without X-Frame-Options, you can be clickjacked.
When Bolt generates dynamic queries, it sometimes interpolates user input directly into SQL strings. CheckVibe probes common parameters with benign payloads to detect injection without changing your data.
`/api/debug`, `/__health__`, and Vite's `/?__inspect__` are commonly left enabled. CheckVibe enumerates 200+ debug paths to find the ones that leak environment variables, stack traces, or admin functionality.
Anything prefixed `VITE_` is shipped to the browser. Use server-only env vars (no prefix) and proxy third-party calls through your own API.
Run `ALTER TABLE x ENABLE ROW LEVEL SECURITY;` then write `auth.uid() = user_id` policies. CheckVibe links to the exact migration to run.
Replace `*` with `https://yourapp.com`. If you genuinely need cross-origin, allowlist explicit origins server-side.
Vercel/Netlify both support `_headers` files or middleware. CheckVibe outputs ready-to-paste headers for your stack.
Bolt apps change every day. Wire CheckVibe to scan on every deploy via the GitHub Action or run the cron on a free Pro account.
Yes, but you need to harden the output. The scaffold is a starting point, not a production-ready app. Most security issues are at the layer Bolt doesn't touch (RLS, headers, key hygiene).
No. Bolt focuses on getting code working. There's no automatic scan for exposed keys, missing RLS, or insecure headers.
Exposed API keys in `VITE_`-prefixed env variables. Anything with that prefix is sent to the browser and can be extracted by anyone visiting your site.
Under 60 seconds. We run 100+ checks in parallel and return a graded report.
No. CheckVibe scans only public endpoints, respects robots.txt, and never modifies data. Probes are read-only and benign.
