Security Scanner for Bolt Apps

We scanned 289 Bolt apps. 7.3% had critical vulnerabilities. Is yours secure?

Top issue: Supabase RLS off + hardcoded API keys in JS bundles (15% of apps)

What we check on Bolt apps

• Supabase RLS — extracts real table names from your JS bundle, tests each with the anon key
• API keys in bundles — OpenAI, Anthropic, Stripe, Google, AWS keys shipped client-side
• Authentication — IDOR, OAuth misconfig, session entropy, JWT weak secrets
• Infrastructure — exposed /.env, /.git, subdomain takeover, DNS issues
• AI code quality — hallucinated functions, unsafe eval(), hardcoded credentials
• 70+ total modules — nuclei CVE templates, XSS, CORS, CSP bypass, and more

Try it free

Paste your Bolt app URL on our homepage for a quick 10-second scan. For the full 70-module audit, sign up — one free scan, no card.

Scan your Bolt app free →

Research

• Lovable vs Bolt vs Replit: per-platform RLS breakdown
• Beyond Supabase RLS: 5 other critical vulnerabilities
• Q2 2026 State of Vibe-Coded Security report