Bolt + Supabase pre-launch security checklist
Bolt’s speed comes from generating an entire stack in seconds, but the generated defaults are not production defaults. The two recurring problems we see: env values written to deployed files instead of host env vars, and CORS set to wildcard. Walk this list before you ship.
12 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
RLS enabled on every public table
CriticalDetector: supabase
Service role JWT not present in deployed bundle
CriticalDetector: js-secrets
.env not accessible at /.env on the deployed URL
CriticalDetector: exposed-files
CORS replaced from wildcard to specific origins
HighBolt-generated backends often default to Access-Control-Allow-Origin: *.
Detector: cors
No raw API keys in deployed JS bundles
CriticalDetector: js-secrets
CSP header set on the deployed app
HighDetector: headers
HSTS configured at the host (Netlify/Vercel)
HighDetector: headers
X-Content-Type-Options: nosniff set
MediumDetector: headers
Cookies set Secure and HttpOnly
HighDetector: cookies
Valid TLS and no mixed content
HighDetector: ssl
SPF and DMARC published if sending email
MediumDetector: email
Rate limiting on auth + write endpoints
MediumDetector: rate-limit
Paste this into Bolt
One prompt that runs the entire checklist as a code review pass.
Audit my Bolt + Supabase app: enable RLS on every public table with ownership policies, ensure the service_role key is NOT in any deployed file or bundle, verify .env is not accessible at /.env, replace CORS wildcard with specific origins, remove any hardcoded API keys from client code, configure CSP/HSTS/X-Content-Type-Options at the host (Netlify or Vercel), set Secure+HttpOnly on session cookies, ensure TLS is valid, publish SPF and DMARC if you send email, and add rate limiting on auth and write endpoints.FAQ
Frequently asked questions
- Why does Bolt expose .env so often?
- Bolt sometimes writes config values to project files that get bundled and deployed to /public/ or the root. Search the codebase for any reference to .env content being read at build time vs runtime, and move build-time secrets to host env vars.
- Should I leave the Bolt-generated CORS as-is?
- No — wildcard CORS plus credentials is the worst combination. Even without credentials, wildcard means any site can call your API. Set an allowlist of your production frontend origins.
Per-issue depth
Fix guides for this checklist
Supabase RLS disabled
A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.
Read moreCORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read moreExposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read moreHardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.