← Back to Guides

    How to Secure Bolt.new

    Step-by-step guide to securing your Bolt.new application. Learn how to protect against common vulnerabilities, configure security settings, and launch with confidence.

    Understanding Bolt.new Security

    Bolt.new uses WebContainers to run code in the browser, and supports multiple backends including Supabase and Firebase. Security depends on proper configuration of both the WebContainer environment and your chosen backend's security rules.

    Security Checklist

    Follow these 12 steps to secure your Bolt.new application. Items marked as critical should be addressed before launch.

    1

    Configure backend security

    Critical

    Bolt.new supports multiple backends (Supabase, Firebase). Ensure your chosen backend has proper security rules configured.

    2

    Enable authentication

    Critical

    Set up proper authentication with email verification and secure password policies.

    3

    Audit API keys

    Critical

    Check for any exposed API keys in the WebContainer environment or client-side code.

    4

    Review database security rules

    Critical

    Whether using Supabase RLS or Firebase Security Rules, ensure data access is properly restricted.

    5

    Secure environment variables

    Critical

    Use Bolt.new's environment variable system for sensitive configuration.

    6

    Test WebContainer isolation

    Understand that Bolt.new runs code in WebContainers - verify no sensitive operations leak.

    7

    Validate form inputs

    Add client and server-side validation to prevent injection attacks.

    8

    Configure CORS

    Set appropriate CORS policies for your API endpoints.

    9

    Review third-party packages

    Audit npm dependencies for known vulnerabilities.

    10

    Enable HTTPS

    Ensure all deployed endpoints use HTTPS encryption.

    11

    Test error handling

    Verify errors don't expose sensitive information to users.

    12

    Run security scan

    Use VibeEval to automatically detect vulnerabilities in your deployed app.

    Common Vulnerabilities in Bolt.new Apps

    Missing Backend Security

    Without proper Supabase RLS or Firebase Security Rules, data can be accessed by unauthorized users.

    Exposed Secrets

    API keys and credentials accidentally exposed in WebContainer code or environment.

    Vulnerable Dependencies

    AI-generated code may include outdated npm packages with known security issues.

    Input Validation Gaps

    Missing input validation allowing XSS, injection, or other attacks.

    Related Resources

    Is Bolt.new Safe?

    In-depth security analysis of the Bolt.new platform.

    Bolt.new Security Checklist

    Interactive pre-launch security checklist for Bolt.new.

    Automate Your Security Checks

    Don't manually verify each item. Let VibeEval scan your Bolt.new application and generate a comprehensive security report in minutes.

    Scan Your Bolt.new App