89%
of Bolt apps have at least one critical issue
< 60s
to get your full report
5 checks
run automatically on every scan
Free
no credit card, no account
Common vulnerabilities
The security issues we find in most Bolt apps
Bolt.new ships working apps in minutes, but the speed comes with tradeoffs. Generated code often sets CORS to wildcard, exposes API keys in frontend code, and skips the server-side validation that keeps your data safe.
What VibeScan checks
Every scan runs 8 automated checks
VibeScan looks at everything publicly visible in your Bolt app — the same things an attacker would look at on day one.
- ✓HTTPS enforcement — detects HTTP deployment
- ✓CORS policy — flags Access-Control-Allow-Origin: * in response headers
- ✓Exposed secrets — scans page source for API keys, JWT tokens, service credentials
- ✓Security headers — checks X-Frame-Options, CSP, HSTS, X-Content-Type-Options
- ✓Robots.txt exposure — flags sensitive paths revealed to crawlers
- ✓OpenAI key detection — identifies sk- prefixed keys in page source
- ✓Supabase credential exposure — detects ANON keys and service role keys
- ✓JWT token leakage — finds Bearer tokens embedded in scripts
Scan your Bolt app now
Paste your app URL and get a full security report in under 60 seconds. Free, no signup.
FAQ
Common questions about Bolt security
Is your Bolt app secure?
Paste your URL. Get a full security report in under 60 seconds — free, no login required.
Scan my Bolt app free →