free · read-only · built for Bolt.new apps

Your Bolt app might be handing out its keys.

Bolt builds full-stack apps in the browser and wires in whatever API you ask for. When a server key lands in the client bundle, anyone can read it. Scan yours free.

https://

read-only · we fetch only what your visitors' browsers already download

What breaks on Bolt.new apps

Bolt.new moves fast across whole stacks — which means secrets and backends get wired in quickly, and sometimes wired in wrong. Here's what we check.

Server keys baked into the client bundle

Ask Bolt to “call OpenAI” and it may drop the key straight into your frontend JS, where every visitor can read it. sk-, sk_live_, AWS, and service-role keys don't belong in the browser. We find them — and correctly ignore the anon and publishable keys that are meant to be public.

Missing security headers on the deploy

Bolt's default hosting usually ships without a Content-Security-Policy or clickjacking protection. We check the browser-level defenses your app skips, and hand you the exact header to add.

A downloadable .env or source map

An exposed .env or a production source map that leaks your whole codebase is a one-request compromise. We probe for them by real content, not just a 200 status — so single-page-app false positives don't waste your time.