Is Bolt.new safe?

Is Bolt.new safe to ship?

Bolt.new builds and runs a full-stack app entirely in the browser using StackBlitz WebContainers, then deploys it in a couple of clicks. That speed is real. So is the gap it tends to leave in the database it wires up.

Run the 60-second self-check Or run the free Leak Check
Credit where it's due

What Bolt actually does well

Runs a real dev environment, frontend and backend, directly in the browser with no local setup.

Connects cleanly to Supabase, Netlify, and Vercel for a working deploy in minutes, not days.

Handles multi-file edits across the stack without losing track of what already works.

The gap

The gap: RLS-off tables and env vars marked public without realizing it

When Bolt wires up Supabase, the same default applies as everywhere else in this space: tables ship without row-level security unless someone explicitly turns it on. On top of that, Bolt's in-browser environment variable settings make it easy to mark a variable as exposed to the client without registering that "exposed" means it ships in the JavaScript bundle anyone can read. A secret key set that way is no different from pasting it directly into your HTML.

60-second self-check

Check Bolt for this yourself right now

Two checks, about 60 seconds combined.

  1. 01

    Open your live Bolt app, open devtools, and go to the Network tab. Find a request to a supabase.co domain and copy the apikey header value.

  2. 02

    Run: curl "https://<your-project>.supabase.co/rest/v1/<table-name>?select=*&limit=1" -H "apikey: <anon-key>" and see if rows come back with no login.

  3. 03

    Separately, open devtools Sources tab, search the main JS bundle for "sk_live", "sk-", "AKIA", or "service_role".

  4. 04

    If any of those patterns show up in a file that ships to the browser, that key is public and should be rotated immediately.

Rather not do this by hand? The free Leak Check runs the anon-key probe and a client bundle scan against your live URL and gives you results in under a minute.

Run the free Leak Check

Where the numbers come from

We scanned 66 live apps built with Lovable, Bolt, Cursor, base44, and Tempo. 41% of the Supabase-backed apps had at least one table anyone could read with the public anon key. The full methodology and findings are in the data report.

Read the data report
FAQ

Common questions about Bolt security

Not particularly. It shares the same underlying pattern as Lovable and most Supabase-backed AI builders: the anon key is public by design, and RLS is the piece that has to be turned on separately. The env var confusion around what counts as "public" is specific to how Bolt exposes that setting in its UI.
Any variable that gets read inside a component or file that ships to the browser, not just ones with a special prefix. If you are unsure, check the Sources tab in devtools directly rather than trusting the variable name.
Rotate the key immediately in the provider dashboard (Stripe, OpenAI, AWS, or Supabase service role), then move the call that used it to a server-side API route or Edge Function so the key never reaches the client again.
No. The hosting provider serves whatever code and bundle Bolt produced. Neither Netlify nor Vercel filters secrets out of a client bundle, that has to be fixed at the source before deploy.
Yes, the free Leak Check below automates both checks, the RLS probe and the bundle scan, against your live URL.