Bolt.new code audits, security reviews, and migrations
Bolt.new is StackBlitz's browser-based AI fullstack builder. It runs apps inside a WebContainer runtime and integrates with Supabase. Great for prototyping; the AI's defaults leak secrets and skip security.
Top issues we find auditing Bolt.new apps
Patterns documented in primary-source security research, community forums, and real-world audits. These are the things that ship to production and break in front of users.
Secret keys exposed via VITE_ / NEXT_PUBLIC_ prefixes
Bolt's AI generates import.meta.env.VITE_OPENAI_API_KEY patterns, exposing OpenAI, Anthropic, and Stripe keys in the client bundle. The prefix scheme makes them publicly readable.
Supabase RLS not enabled on table creation
Bolt creates tables via the Supabase integration but doesn't reliably enable RLS or create policies. The entire database becomes queryable via the anon key.
Supabase project mis-binding
Bolt has shipped builds connected to the wrong Supabase project (StackBlitz issue #39478), exposing one user's auth flow to another's database.
Missing input validation everywhere
Forms hit the database directly via the Supabase client without sanitization or length checks.
Edge Function CORS errors stuck in fix-loops
A Supabase config issue the AI cannot debug because the problem is in the dashboard, not the code. Users report 7–12 million tokens burned on a single CORS bug.
Auth redirect URLs hardcoded to preview domains
Production deploys redirect users to *.bolt.new after OAuth instead of your real domain.
WebContainer env vars don't sync to production
StackBlitz issues #298 and #720: apps work in preview, fail in production with 'API key missing' because secrets stayed in WebContainer.
How we help Bolt.new builders
Every engagement starts with a fixed quote. No retainer trap, no surprise invoices.
Security Review
Manual review of authentication, secrets, RLS, and integrations in your Bolt.new app.
From $300
Code Audit
Full codebase review covering security, architecture, and performance for Bolt.new projects.
From $450
Fix Bugs
Diagnose and fix the things your Bolt.new AI broke. Single-shot or ongoing.
Custom quote
Migrate off Bolt.new
Move to your own infrastructure. Keep what works, rebuild what doesn't.
From $500
Retainer
Ongoing support, bug fixes, and code reviews. Cancel anytime.
From $250/mo
Cost & performance gotchas
- The 'Attempt Fix' button re-sends the entire codebase as context. Reports of 100k–200k tokens per fix on a 20-component project, and 1.3M tokens lost in a day.
- Context-window growth is roughly linear with project size.
Thinking of leaving Bolt.new?
We migrate Bolt.new apps to your own infrastructure starting at From $500. Keep the work, drop the lock-in.
- Next.js + Supabase + Vercel
- Astro + Supabase
- Vite + Supabase + Render
Comparing Bolt.new to other tools
Frequently asked questions
- Does Bolt.new expose my API keys?
- Often, yes. Bolt's AI uses VITE_ and NEXT_PUBLIC_ prefixes for secret values, which ships them to the browser. We've seen OpenAI, Anthropic, and Stripe keys regularly exposed in Bolt-built apps.
- Why does Bolt.new burn so many tokens on bug fixes?
- The 'Attempt Fix' button re-sends your full project context on each retry. A CORS bug in your Supabase dashboard (which Bolt can't see) can chew through 7–12 million tokens before you notice.
- Can I move my Bolt.new app to my own stack?
- Yes. The codebase exports to GitHub, but you'll need a real Node runtime instead of WebContainer, plus manual reconfiguration of Supabase RLS, secrets, and Edge Functions. We handle migrations from $500.
Ready to ship your Bolt.new app with confidence?
Tell us about your app. Fixed quote within 24 hours.