Free security check for apps built with Bolt
Bolt builds full-stack apps in the browser, which makes it tempting to put an API key where the front end can reach it. Run a free external check to catch exposed secrets and missing hardening.
Free, no card. You verify you own the domain before anything runs.
Common Bolt security pitfalls we check
API keys in front-end code
Without a clear server boundary, secret keys often land in client code and ship to every visitor.
Permissive CORS / open endpoints
Defaults that let any origin call your API. We check what's reachable and how it responds.
Missing security headers
No HSTS or content-type/framing protection on the deployed site.
Certificate & TLS issues
Weak TLS or a missing HTTPS redirect on your domain.
The free scan covers the externally-visible issues above (exposed secrets, TLS, security headers, email-DNS). When a customer asks for SOC 2, the same account upgrades to the full $50 external pentest with an auditor-ready report.