Bolt.new Security Scanner
Bolt.new can scaffold an entire full-stack app in seconds. The problem is that generated code prioritizes functionality over security. GraphQL introspection is left on, CORS accepts every origin, and there is zero rate limiting on any endpoint.
Content-Security-Policy headers are almost never present, which means any XSS vulnerability becomes a full account takeover. We have seen Bolt apps where a single injected script could exfiltrate every user session token.
VibeArmor probes your live Bolt app from the outside and reports exactly what an attacker can exploit. No code access needed. Paste a URL and get results in 3 minutes.
What VibeArmor detects in Bolt.new apps
- Missing Content-Security-Policy headers allowing script injection
- Exposed GraphQL endpoints with introspection enabled
- No rate limiting on API routes or authentication
- Client-side auth checks with no server-side validation
- Default CORS configuration accepting all origins
No signup • Results in 3 minutes
How VibeArmor helps
Critical exploits
Exposed secrets, auth bypass, injection, and cross-user data access. These get apps hacked.
Active defenses
HTTPS, CSP, rate limiting, and cookie security. Real protections that stop real attacks.
Best practices
Informational items that do not affect your grade. Good to know, not urgent to fix.
Related reading
- Vibe Coding Security Checklist: 15 Things to Check Before You Ship
A prioritized checklist covering the issues we find in 70%+ of AI-built apps.
- The 7 Most Common Vulnerabilities in AI-Generated Code
Missing CSP and open CORS are vulnerabilities #5 and #7 on this list.
- 5 Security Fixes Every Vibe Coder Should Know
Copy-paste code fixes for CSP headers, rate limiting, and CORS lockdown.
- Vibe Coding Security Risks — The Complete 2026 Guide
Security risks across all major AI coding tools with the 3-tier hackability model.