complyeah
Security scan · Bolt

Free security check for apps built with Bolt

Bolt builds full-stack apps in the browser, which makes it tempting to put an API key where the front end can reach it. Run a free external check to catch exposed secrets and missing hardening.

Free, no card. You verify you own the domain before anything runs.

Common Bolt security pitfalls we check

API keys in front-end code

Without a clear server boundary, secret keys often land in client code and ship to every visitor.

Permissive CORS / open endpoints

Defaults that let any origin call your API. We check what's reachable and how it responds.

Missing security headers

No HSTS or content-type/framing protection on the deployed site.

Certificate & TLS issues

Weak TLS or a missing HTTPS redirect on your domain.

The free scan covers the externally-visible issues above (exposed secrets, TLS, security headers, email-DNS). When a customer asks for SOC 2, the same account upgrades to the full $50 external pentest with an auditor-ready report.