Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Security for vibe-coded apps

Is Bolt.new secure? What the generated app leaves open

July 18, 2026·6 min read
A half-built structure lit at night — an app generated fast, with the doors not yet locked.

Bolt.new can stand up a working full-stack app in minutes, database and all. That speed is the point — and it's also why the security questions get skipped. "Is Bolt.new secure?" is really asking whether the app it generated for you is, and that's a different question with an answerable checklist.

Bolt itself is a legitimate tool. The risk lives in what it hands you: a generated app whose defaults favour working over locked-down, wired up so fast that nobody paused on who else can reach it.

The Supabase connection is where it leaks

When a Bolt app needs to store data, it commonly wires up Supabase — and that brings the single biggest gap in AI-built apps along with it. The app talks to the database from the browser using a public anon key, safe only if Row Level Security is switched on and its policies actually restrict each user to their own rows.

Because generated schema often isn't created through Supabase's Table Editor, RLS is frequently off — and the public key ends up able to read the whole database. It's the identical trap Lovable apps hit; the full mechanics, including the "RLS on but still public" policy trap, are in is my Supabase database public?

The app working perfectly tells you nothing about whether it's locked down. RLS off passes every functional test and fails every security one — and from the front end the two are indistinguishable.

Secrets the generator placed for convenience

A model wiring up an integration drops the key wherever makes the code run. That's fine for a publishable key and dangerous for a secret one. Check nothing private shipped in the bundle, and that no secret hides behind a client-exposed VITE_ prefix — the exposed-key problem in full.

Authorization the UI only pretends to enforce

Generated code loves to guard actions in the frontend, because that's where the button is. Hiding an admin control from non-admins isn't access control — the endpoint is still there to call directly. Every sensitive action needs a matching check on the server.

Audit your Bolt app

The fastest pass is to make the model check its own output, table by table and route by route:

paste into Claude or ChatGPT
My app was built with Bolt.new. Audit it for the security gaps Bolt-generated apps commonly ship with, and give me the exact fix for each.

1. If it uses Supabase: list every table and whether Row Level Security is enabled. Flag any table that's off — readable/writable by anyone with the public anon key. For tables with RLS on, tell me whether the policy actually restricts rows to the owning user or effectively allows everyone.
2. Secrets: are any API keys, tokens, or private keys committed to the repo or shipped in the client bundle? Which must move to server-side environment variables? Check that no secret uses a client-exposed prefix (VITE_ / NEXT_PUBLIC_).
3. Authorization: is every sensitive action checked on the server, or is any of it enforced only in the UI where a user could bypass it by calling the endpoint directly?
4. Leftover routes: are there any debug, admin, or seed endpoints still reachable in production?

For each finding, give me the file/table, the risk in one sentence, and copy-pasteable code or SQL to fix it.

This is the Bolt-specific cut of a pattern that runs through every AI builder — the cross-cutting version is vibe coding security risks, and the Supabase deep-dive is how to secure a Supabase app.

The part you can check from outside

RLS and secrets live in the code, but the certificate, headers, and cookies live on the public URL — testable in seconds:

free tool · no loginSecurity headers checkScan your Bolt app's live URL for the security headers a generator leaves unset — clickjacking, sniffing, and downgrade protection. No login.

Ship the Bolt app. Just don't ship it blind.

The audit above secures your Bolt.new app now. Tell Me When Down watches it after — SSL that lapses, a URL that starts erroring, a site that goes down — free, no card, so a quiet change doesn't become a public one.

Watch my appfree · no card required
more on security for vibe-coded apps
How to secure a Supabase app: the five settings that matterA Supabase app can be wide open, almost always for the same handful of reasons: RLS off, the service_role key in the browser, public buckets, unguarded functions, secrets in the bundle. Here's the map to closing each one.Is my Supabase database public? RLS, and how to checkYour Supabase anon key is public by design — safe only if RLS is on with a real policy. Tables made outside the Table Editor ship with it off, and USING(true) is still open. Here's how to check if your data is public.My API key is showing on my website — is that bad?An API key visible in your frontend is a shrug or an emergency depending on which kind it is. Public keys (anon, pk_, Maps) are meant to be seen; secret keys are compromised the instant they ship. How to tell, and what to do.Is my app built with AI safe? A non-developer's checkYou built an app with AI, it works, and you're quietly worried it's not safe — but you can't read code. Here are the four plain-English questions that matter, and how to check each one without being a developer.Is Lovable secure? The one setting that decides itA Lovable app can be wide open, and the difference is one setting most builders never touch. The anon-key/RLS model, the gap behind a 2025 CVE, and how to check yours.Is v0 secure? Keeping a generated Next.js app's secrets inv0's Next.js output looks production-ready, which is the trap. NEXT_PUBLIC_ bakes a var into the bundle, and a secret in a client component ships to the browser. Here's how to check a v0 app keeps its secrets in.Vibe coding security risks: the checklist nobody runsThe appeal of vibe coding is that you don't read every line — which is exactly why the holes get through. Exposed secrets, a database anyone can read, rules enforced only in the UI, and how to close each one.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com