Is my Bolt app secure? A 2-minute self-check
Is my Bolt app secure? A 2-minute self-check
Bolt (bolt.new) is great at taking you from an idea to a deployed full-stack app in one sitting. The trade-off is that the security hygiene, the boring part, is the step that quietly gets skipped. That is fine while you are prototyping, and it matters the moment you share the link.
Here is a quick self-check for the handful of things that actually bite people. None of it needs special tools.
1. Is your database open?
Most Bolt apps store data in Supabase or Firebase. The single most common issue is that access rules were never turned on, so the public key that ships in your page lets anyone read your tables. If you use Supabase, confirm Row Level Security is enabled on every table with a policy that scopes rows to the right user. If you use Firebase, check that your security rules are not left in the default open state.
2. Are there secrets in your bundle?
Open your live app, view source, and search for sk_, service_role, or AIza. A publishable key (pk_) or a Supabase anon key is meant to be public. A secret key, a service-role key, or an OpenAI or AWS key is not. If one is in the bundle, rotate it and move it server-side.
3. Are private files reachable?
Try visiting /.env, /.git/config, and your source-map files directly. None of them should load for a stranger. A reachable .env hands over your secrets, and public source maps rebuild your original code for anyone curious enough to look.
4. The basics
Confirm HTTPS is enforced with a valid certificate, that you are not shipping a wide-open CORS policy, and that the common security headers are present.
The shortcut
Going through this by hand once is worth it. To make it quick, we built a free scanner: paste your app URL at task-bounty.com/scan and it shows, in a few seconds, exactly what your live app exposes to any visitor. It is read-only, it never logs in, and it works on any JavaScript or TypeScript app, not just Bolt.
Think of it as a flashlight, not a grade. A clean result means the common, cheap-to-find leaks are not showing, which is the exact set of mistakes that turn into an incident. Worth a look before you share your app widely.