Bolt App Security Checklist
Your Bolt.new app runs - this checks whether it leaks. 19 platform-specific checks covering committed .env files, secrets bundled into browser code, unprotected serverless functions and database rules. Independent tests find 40-62% of AI-generated code contains vulnerabilities - tick these off before strangers find them.
By Carl Mills - cloud & security engineer • Last updated • Progress saves in your browser • free personalized PDF print-out.
Bolt security FAQ
Are VITE_ variables secret?
No - they're compiled into public browser JavaScript by design. Real secrets belong in Netlify (or other host) env vars, used only inside serverless functions.
Bolt wrote my keys into the code. What now?
Move them to server-side env vars, then regenerate every key that ever appeared in code or a prompt - deleting the line doesn't delete the history.
What next once everything's ticked?
Run the general 12-point AI-app launch checklist, compare hosting costs, and push the code to your own GitHub.
Want a professional pass?
A fixed-scope security review covers every item here plus the ones only an engineer would find - with a prioritised fix list.
Get in touch