Bolt.new built a million websites in five months. It is genuinely impressive at turning ideas into working apps. But 33% of Bolt apps we tested had critical vulnerabilities, and 79% had high-severity issues. The good news: most are straightforward to fix once you know where to look.
Bolt is good at generating functional code fast. It handles auth flows better than some platforms. But it has a consistent blind spot: the boundary between client and server. Secrets that should stay on the server end up in the browser. Auth checks that should run on every request only run in the UI.
Bolt frequently puts sensitive environment variables into client-side code. OpenAI keys, Stripe secret keys, database connection strings — if the AI does not distinguish between server and client contexts, secrets end up in the JavaScript bundle anyone can read.
In our 100-app study, 54% of all vibe-coded apps had secrets exposed in client-side code. We found 12 apps leaking LLM API keys (OpenAI, Anthropic) and 3 apps leaking Stripe secret keys. A leaked OpenAI key can cost thousands of dollars in unauthorized usage.
Bolt generates functional API endpoints that handle CRUD operations correctly on the happy path. But many routes skip authentication checks entirely — anyone with the URL can call them.
IDOR and broken authorization affected 41% of apps with multi-user functionality. The pattern is consistent: API routes accept a resource ID but never verify that the requesting user owns that resource.
Bolt is better at auth than some platforms — it generates working login and registration flows. But "working" is not the same as "secure." Session management, token validation, and brute-force protection are often incomplete.
Common patterns include predictable session tokens, missing rate limiting on login endpoints, and auth checks that exist in the frontend but not in API routes — so bypassing the UI gives full access.
Bolt apps typically ship without Content Security Policy, X-Frame-Options, or HSTS headers. Some configure CORS with wildcard origins on endpoints that require authentication.
47% of the 100 apps we scanned were missing basic security headers. Without CSP, any XSS vulnerability becomes significantly easier to exploit. Permissive CORS on authenticated endpoints can enable cross-origin data theft.
Bolt generates full-stack apps from prompts. When you ask it to integrate with OpenAI, Stripe, or any third-party API, it needs to put the API key somewhere. The AI does not always distinguish between server-side and client-side contexts — so keys that should be in server environment variables end up referenced in frontend code.
In frameworks like Next.js or Vite, environment variables prefixed with NEXT_PUBLIC_ or VITE_ are intentionally bundled into client-side code. The AI sometimes uses these prefixes for secrets that should never be public. Other times, it imports server-only modules in client components.
The result is the same: open your deployed site, view source, and search for "apiKey" or "sk_" or "sk-ant-". If you find matches, those secrets are visible to every visitor. In our study, 54% of vibe-coded apps had at least one exposed secret. Three had live Stripe secret keys in the browser — meaning anyone could process charges or refunds on that account.
Paste your URL. Flowpatrol scans your live app and tells you exactly what needs fixing — before your users or an attacker finds it first.
Analyzes your JavaScript bundles for API keys, database credentials, service tokens, and any other secrets that should not be client-side.
Probes every discoverable API endpoint to verify authentication is enforced server-side. Checks for IDOR by testing cross-user data access.
Validates security headers (CSP, HSTS, X-Frame-Options), CORS policy, and framework-specific configuration for known misconfigurations.
The most common security issues we find in vibe-coded apps, with real examples and fixes.
Why AI tools keep leaking secrets into client bundles and how to check yours in 30 seconds.
How AI-generated APIs handle the happy path but miss the attack path.
The full list of vulnerability categories Flowpatrol scans for in AI-built apps.
You built fast. Now ship with confidence. One scan tells you exactly where you stand.