Bolt.new shipped a million websites in five months. It is genuinely impressive at turning an idea into a working app. But 33% of Bolt apps we scanned had critical issues, and 79% had high-severity ones. The good news: most are a quick fix once you know where to look.
Bolt is good at generating functional code fast. It handles auth flows better than some platforms. But it has a consistent blind spot: the boundary between client and server. Secrets that should stay on the server end up in the browser. Auth checks that should run on every request only run in the UI.
Bolt often drops sensitive keys into frontend code. OpenAI keys, Stripe secret keys, database connection strings — if the AI does not know which values belong on the server, they end up in the JavaScript bundle anyone can read.
In our 100-app study, 54% of all vibe-coded apps had secrets sitting in frontend code. We found 12 apps leaking LLM keys (OpenAI, Anthropic) and 3 apps leaking Stripe secret keys. A leaked OpenAI key can run up thousands of dollars in unauthorized usage.
Bolt builds working API endpoints that handle the happy path just fine. But many routes skip the login check entirely — anyone with the URL can call them.
Broken access control (the umbrella term includes IDOR — reading another user's data by changing an ID) showed up in 41% of multi-user apps. The pattern is consistent: routes accept a record ID but never check who owns the record.
Bolt is better at login than some platforms — it builds working sign-up and log-in flows. But "working" is not the same as "safe." Session handling, token checks, and brute-force protection are often incomplete.
Common patterns: predictable session tokens, no rate limiting on login, and login checks that only run in the UI but not in the API. Skip the UI and you get straight in.
Bolt apps typically ship without the headers that block injected scripts (Content Security Policy, or CSP), stop clickjacking, or force HTTPS. Some also leave their APIs open to any origin.
47% of the 100 apps we scanned were missing these basic headers. Without CSP, a cross-site scripting bug is much easier to turn into account takeover. APIs open to any origin let another site steal data from a logged-in user.
Bolt generates full-stack apps from prompts. When you ask it to integrate with OpenAI, Stripe, or any third-party API, it needs to put the API key somewhere. The AI does not always distinguish between server-side and client-side contexts — so keys that should be in server environment variables end up referenced in frontend code.
In frameworks like Next.js or Vite, environment variables prefixed with NEXT_PUBLIC_ or VITE_ are intentionally bundled into client-side code. The AI sometimes uses these prefixes for secrets that should never be public. Other times, it imports server-only modules in client components.
The result is the same: open your deployed site, view source, and search for "apiKey" or "sk_" or "sk-ant-". If you find matches, those secrets are visible to every visitor. In our study, 54% of vibe-coded apps had at least one exposed secret. Three had live Stripe secret keys in the browser — meaning anyone could process charges or refunds on that account.
Paste your URL. Flowpatrol scans your live app and tells you exactly what needs fixing — before your users or an attacker finds it first.
Analyzes your JavaScript bundles for API keys, database credentials, service tokens, and any other secrets that should not be client-side.
Tests every discoverable API endpoint to verify authentication is enforced server-side. Checks for IDOR by testing cross-user data access.
Validates security headers (CSP, HSTS, X-Frame-Options), CORS policy, and framework-specific configuration for known misconfigurations.
How the same BaaS default shipped to production in Moltbook, Tea, Cal AI, and Quittr.
Why AI tools keep leaking secrets into client bundles and how to check yours in 30 seconds.
How AI-generated APIs handle the happy path but miss the attack path.
The full list of vulnerability categories Flowpatrol scans for in AI-built apps.
You built fast. Now ship with confidence. One scan tells you exactly where you stand.