Your Bolt app might be handing out its keys.
Bolt builds full-stack apps in the browser and wires in whatever API you ask for. When a server key lands in the client bundle, anyone can read it. Scan yours free.
read-only · we fetch only what your visitors' browsers already download
What breaks on Bolt.new apps
Bolt.new moves fast across whole stacks — which means secrets and backends get wired in quickly, and sometimes wired in wrong. Here's what we check.
Server keys baked into the client bundle
Ask Bolt to “call OpenAI” and it may drop the key straight into your frontend JS, where every visitor can read it. sk-, sk_live_, AWS, and service-role keys don't belong in the browser. We find them — and correctly ignore the anon and publishable keys that are meant to be public.
Missing security headers on the deploy
Bolt's default hosting usually ships without a Content-Security-Policy or clickjacking protection. We check the browser-level defenses your app skips, and hand you the exact header to add.
A downloadable .env or source map
An exposed .env or a production source map that leaks your whole codebase is a one-request compromise. We probe for them by real content, not just a 200 status — so single-page-app false positives don't waste your time.
Built with something else?
The Supabase database Lovable ships with is open until you turn on RLS.
A NEXT_PUBLIC_ env var or a stray source map leaks more than you think.
AI-written auth often trusts the client. We test what's actually readable.
App, secrets, and database in one place — one misconfig exposes all three.