Bolt Production Readiness

Auth Check Only in Client Code

The auth gate runs only in a client component (useEffect redirect or conditional render), which an attacker bypasses by disabling JavaScript or hitting the API route directly.

IDOR Vulnerability on REST Endpoint

A REST endpoint returns resources by id without verifying the caller owns that resource. Any authenticated user can access any other user's data by changing the id in the URL.

Missing Row Level Security on Supabase Table

A public Supabase table has RLS disabled or has an overly permissive policy, meaning any authenticated user can read or modify every row regardless of ownership.

Secret API Key Exposed in Client Bundle

A sensitive credential (Stripe secret, OpenAI API key, Supabase service role key) is prefixed with NEXT_PUBLIC_, causing it to be inlined into the browser JavaScript bundle where anyone can read it.

Unverified Stripe Webhook

The Stripe webhook endpoint accepts any POST without verifying the signature header, allowing an attacker to forge subscription events, credit accounts, or cancel subscriptions.

Missing Input Validation on API Route

A POST or PATCH API route spreads the raw request body into a database write without validating that fields exist, match expected types, or lie within expected ranges.

Bolt.new Apps: 7 Production Issues and How to Fix Them

Bolt.new gets you from idea to working app in minutes. But the generated code has consistent patterns that break in production. Here are 7 specific issues with code-level fixes.

Cursor vs Lovable vs Bolt: What Each Tool Gets Right (and What They All Skip)

Cursor hit $1B ARR. Lovable reached a $6.6B valuation. Bolt crossed 5M users. But all three leave critical gaps. Here's an honest comparison and what to do about it.