Bolt App Security Checklist - is your Bolt.new app safe to launch? | Sentido

Bolt App Security Checklist

Your Bolt.new app runs - this checks whether it leaks. 19 platform-specific checks covering committed .env files, secrets bundled into browser code, unprotected serverless functions and database rules. Independent tests find 40-62% of AI-generated code contains vulnerabilities - tick these off before strangers find them.

By Carl Mills - cloud & security engineer • Last updated • Progress saves in your browser • free personalized PDF print-out.

0%
0/0 items completed
0/100
Your selections are saved in your browser. Export a personalized PDF print-out any time.

Bolt security FAQ

Are VITE_ variables secret?

No - they're compiled into public browser JavaScript by design. Real secrets belong in Netlify (or other host) env vars, used only inside serverless functions.

Bolt wrote my keys into the code. What now?

Move them to server-side env vars, then regenerate every key that ever appeared in code or a prompt - deleting the line doesn't delete the history.

What next once everything's ticked?

Run the general 12-point AI-app launch checklist, compare hosting costs, and push the code to your own GitHub.

Want a professional pass?

A fixed-scope security review covers every item here plus the ones only an engineer would find - with a prioritised fix list.

Get in touch