Auth middleware gaps, exposed credentials, rate limiting, and missing security headers — what Bolt builds and what it leaves unconfigured.
Bolt.new generates working, deployable applications. The distinction between "what it builds" and "what it skips" is where every security finding lives.
| Bolt builds this | Bolt does not configure this |
|---|---|
| UI components and routing | Authentication middleware on API routes |
| Database schema and queries | Supabase RLS policies on tables |
| API endpoints | Rate limiting on auth and sensitive endpoints |
| Form validation (client-side) | Server-side input validation and sanitisation |
| Environment variable references | Correct client/server variable separation |
| Deployment configuration | HTTP security headers (CSP, HSTS, X-Frame-Options) |
| Auth flow structure | CSRF protection on state-changing routes |
| Error responses | Error tracking and production monitoring |
| Finding | Severity | CWE |
|---|---|---|
| Auth middleware missing on protected API routes Routes that should require login accept unauthenticated requests. Any caller can read or modify other users' data. |
P0 | CWE-306 |
| Credentials in client bundle or Git history API keys, database credentials, or service_role keys appearing in files accessible to the browser or committed to the repository. |
P0 | CWE-312 |
| Supabase RLS disabled (CVE-2025-48757 class) Tables without RLS allow any user with the public anon key to read and write all rows. The anon key is in the client bundle by design. |
P0 | CWE-284 |
| No rate limiting on auth endpoints /login, /signup, /reset-password accept unlimited requests per IP. Brute-force and credential-stuffing attacks are unrestricted. OWASP A07:2021. |
P1 | CWE-307 |
| CSRF protection absent State-changing routes accept cross-origin requests without validating origin or using CSRF tokens. Attackers can trigger actions on authenticated users' behalf. |
P1 | CWE-352 |
| HTTP security headers not configured Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security absent. Opens the door to clickjacking and XSS. |
P1 | CWE-693 |
| Server-side input validation missing Validation exists only in client-side form logic. Any direct API call bypasses it — allowing oversized payloads, injection characters, and malformed data. |
P2 | CWE-20 |
| No error tracking or monitoring Production errors are invisible. You learn about outages from support tickets, not alerts. No Sentry, Datadog, or equivalent configured. |
P2 | CWE-778 |
Six steps that address the most common critical and high-severity findings before your app reaches real users.
grep -r "sk-\|service_role\|secret" ./dist ./public 2>/dev/null. Rotate any key that was ever in a client file.SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; — every false is a public database. CVE-2025-48757 class.Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security: max-age=31536000.CVE-2025-48757 is widely cited as a Lovable vulnerability. The root cause — Supabase tables with RLS disabled — is equally present in Bolt-generated apps. Bolt creates Supabase schemas without enabling row-level security. The anon key is in the client bundle. The result is identical: a direct GET request to your Supabase REST endpoint returns all data in unprotected tables.
-- Check your Bolt app's Supabase RLS status: SELECT schemaname, tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public' ORDER BY rowsecurity, tablename; -- Any row showing rowsecurity = false is publicly accessible -- Fix: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
URL-based scan. No code access. No signup. Free Launch Readiness Score in 60 seconds — security, reliability, performance, monitoring.
Scan my Bolt app — freeBolt.new is a capable builder that generates production-deployable applications. It does not configure the security layer: authentication middleware, rate limiting, CSRF protection, HTTP security headers, and server-side input validation require manual implementation after Bolt generates the code. The Cloud Security Alliance documented 20 security incidents in AI-powered applications in February 2026 alone. All of these gaps are standard hardening steps, fixable once identified.
An LRC Bolt.new security audit covers four dimensions: Security (auth middleware, credential exposure, CSRF, rate limiting, HTTP headers, input validation), Reliability (error handling, uncaught exceptions, graceful degradation), Performance (N+1 queries, missing indexes, bundle bloat), and Monitoring (error tracking, uptime checks, alerting). Methodology: OWASP Top 10, CWE Top 25, CVSS v3 severity scoring.
In order of severity: missing authentication middleware on API routes (P0), credentials in the client bundle or Git history (P0), Supabase RLS disabled — the CVE-2025-48757 class (P0), no rate limiting on auth endpoints (P1), CSRF protection absent (P1), HTTP security headers not configured (P1), server-side input validation missing (P2), no production error tracking (P2).
Yes. Bolt apps that use Supabase have the same RLS exposure as Lovable apps. Supabase ships with RLS disabled by default on every table. Bolt-generated schemas do not enable it. Any user with the public anon key — which is in the client bundle by design — can read all data in unprotected tables. Run SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; in your Supabase SQL editor and check for false values.
A free Launch Readiness Score is available at launchreadycode.com — URL-based, no signup, 60 seconds. The full Launch Readiness Audit Report is $499 one-time, delivered in under 2 minutes. Ongoing monitoring starts at $149/month. Code Care DFY Technical Setup ($1,999 setup fee + $2,999/mo) implements every fix with a senior engineer reviewing every change before it merges.
Sources: CVE-2025-48757 (NVD / Matt Palmer, May 2025); Cloud Security Alliance AI Application Security Report, February 2026; OWASP Top 10 2021; CWE Top 25 2024; Supabase documentation. This page provides general security guidance, not a certification or guarantee.
Compliance Wing
Security fixed. Now check your compliance.
EU AI Act enforcement is now live — fines up to €35M for undisclosed AI systems. GDPR, SOC 2 foundations, and ISO 27001 foundations are separate obligations your security scan does not cover. One additional scan, 52 checks, 3 minutes. $799 — credited toward full implementation if you need it.
Run Compliance Score — $799 → 7-day money-back · No code access required