Bolt.new Security Guide

AI full-stack app builder in the browser

high risk level

Bolt.new generates and deploys full-stack applications from natural language prompts. Like other AI builders, it prioritizes speed over security — common issues include exposed environment variables, missing auth on API routes, and insecure default configurations.

Common Vulnerabilities

critical

Environment variables exposed in client bundle

Secret keys intended for server-side use get bundled into the client-side JavaScript.

Ensure server-only secrets use server-side env vars (not VITE_ or NEXT_PUBLIC_ prefixed).

high

No rate limiting on API endpoints

Generated APIs lack rate limiting, allowing brute-force and abuse.

Add rate limiting middleware (e.g., express-rate-limit or edge function rate limiting).

critical

Default database credentials

Generated projects may use default or weak database passwords.

Change all default credentials immediately. Use strong, randomly generated passwords.

high

Missing CSRF protection

Form submissions lack CSRF tokens, enabling cross-site request forgery.

Implement CSRF tokens for all state-changing operations.

medium

Insecure session management

Sessions may use predictable IDs or lack proper expiry.

Use secure, httpOnly cookies with SameSite=Strict and proper expiration times.

Pre-Launch Security Checklist

Verify no secret keys are prefixed with VITE_ or NEXT_PUBLIC_Required
Add rate limiting to all public API endpointsRequired
Change all default database and admin credentialsRequired
Implement CSRF protection on state-changing routesRequired
Configure secure session cookies (httpOnly, SameSite, Secure)
Add input validation on all form submissionsRequired
Test authentication flow for bypass vulnerabilitiesRequired
Review generated middleware for security gaps
Check that error responses don't leak internal details
Scan the deployed bundle for exposed secretsRequired

Security Tips

1.

Always check the generated package.json for outdated or vulnerable dependencies.

2.

Use Erzo's Header Checker on your deployed URL to verify security headers.

3.

Don't deploy directly from Bolt to production — review the code first.

Scan your Bolt.new app now

Erzo automatically detects these vulnerabilities and gives you actionable fixes.

    Erzo — AI Code Security Scanner | Error Zero