Bolt.new Security Scanner
Bolt.new can scaffold an entire full-stack app in seconds. The problem is that generated code prioritizes functionality over security. GraphQL introspection is left on, CORS accepts every origin, and there is zero rate limiting on any endpoint.
Content-Security-Policy headers are almost never present, which means any XSS vulnerability becomes a full account takeover. We have seen Bolt apps where a single injected script could exfiltrate every user session token.
VibeArmor probes your live Bolt app from the outside and reports exactly what an attacker can exploit. No code access needed. Paste a URL and get results in 3 minutes.
What VibeArmor detects in Bolt.new apps
- Missing Content-Security-Policy headers allowing script injection
- Exposed GraphQL endpoints with introspection enabled
- No rate limiting on API routes or authentication
- Client-side auth checks with no server-side validation
- Default CORS configuration accepting all origins
No signup • Results in 3 minutes
How VibeArmor helps
Critical exploits
Exposed secrets, auth bypass, injection, and cross-user data access. These get apps hacked.
Active defenses
HTTPS, CSP, rate limiting, and cookie security. Real protections that stop real attacks.
Best practices
Informational items that do not affect your grade. Good to know, not urgent to fix.