Bolt security

Environment Variables Exposed in Bolt Client Bundle

Your Bolt.new application is bundling sensitive environment variables into the client-side JavaScript code. Anyone who opens browser DevTools can see your API keys, database connection strings, Stripe secret keys, or other credentials that should never leave the server.

This happens because Bolt's AI may prefix environment variables with VITE_ or NEXT_PUBLIC_, which tells the bundler to include them in the frontend build. While this is correct for public configuration like your site URL, it exposes any secret placed behind those prefixes.

The exposure is often discovered when you receive a massive bill from a third-party API, notice unauthorized data in your database, or when a user reports finding credentials in your page source. By then, the damage may already be done.

Error Messages You Might See

Unauthorized: Invalid API key detected from client IP 403 Forbidden - API key restricted to server-side use only Billing alert: Unusual API usage spike detected Warning: Secret key should not be used in client-side code
Unauthorized: Invalid API key detected from client IP403 Forbidden - API key restricted to server-side use onlyBilling alert: Unusual API usage spike detectedWarning: Secret key should not be used in client-side code

Common Causes

  • VITE_ prefix on secret keys — Bolt generated environment variables like VITE_STRIPE_SECRET_KEY or VITE_DATABASE_URL, causing Vite to bundle them into client JavaScript
  • Hardcoded secrets in source files — API keys placed directly in .ts or .tsx files rather than using environment variables at all
  • No backend proxy for API calls — The app calls third-party APIs (OpenAI, Stripe, Twilio) directly from the browser with embedded keys
  • All env vars loaded client-side — A shared config file imports every environment variable and is used in both server and client code
  • .env file committed to Git — The .env file containing all secrets was committed to the repository and is visible in the build output

How to Fix It

  1. Audit your bundle for secrets — Open browser DevTools, go to Sources, and search for 'key', 'secret', 'password', 'token', 'DATABASE' in your JavaScript bundles
  2. Remove VITE_ prefix from secrets — Rename VITE_STRIPE_SECRET_KEY to STRIPE_SECRET_KEY so it is only available server-side
  3. Create server-side API routes — Move all third-party API calls to backend routes or Supabase Edge Functions where secrets stay on the server
  4. Rotate all compromised credentials — If secrets were exposed in production, immediately generate new keys in each provider's dashboard and revoke the old ones
  5. Separate public and private config — Create two config files: one for public values (VITE_ prefixed) and one for server-only values (no prefix)
  6. Add .env to .gitignore — Ensure your .env file is listed in .gitignore and remove it from Git history with git filter-branch or BFG Repo Cleaner

Real developers can help you.

Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact. Basel Issmail Basel Issmail ’m a Senior Full-Stack Developer and Tech Lead with experience designing and building scalable web platforms. I work across the full development lifecycle, from translating business requirements into technical architecture to delivering reliable production systems. My work focuses on modern web technologies, including TypeScript, Angular, Node.js, and cloud-based architectures. I enjoy solving complex technical problems and helping teams turn product ideas and prototypes into working platforms that can grow and scale. In addition to development, I often collaborate closely with product managers, business analysts, designers, and QA teams to ensure that solutions align with both technical and business goals. I enjoy working with startups and product teams where I can contribute both as a hands-on engineer and as a technical partner in designing and delivering impactful software. Bastien Labelle Bastien Labelle Full stack dev w/ 20+ years of experience MFox MFox Full-stack professional senior engineer (15+years). Extensive experience in software development, qa, and IP networking. Tejas Chokhawala Tejas Chokhawala Full-stack engineer with 5 years experience building production web apps using React, Next.js and TypeScript. Focused on performance, clean architecture and shipping fast. Experienced with Supabase/Postgres backends, Stripe billing, and building AI-assisted developer tools. Daniel Vázquez Daniel Vázquez Software Engineer with over 10 years of experience on Startups, Government, big tech industry & consulting. Stanislav Prigodich Stanislav Prigodich 15+ years building iOS and web apps at startups and enterprise companies. I want to use that experience to help builders ship real products - when something breaks, I'm here to fix it. Antriksh Narang Antriksh Narang 5 years+ Experienced Dev (Specially in Web Development), can help in python, javascript, react, next.js and full stack web dev technologies. Costea Adrian Costea Adrian Embedded Engineer specilizing in perception systems. Latest project was a adas camera calibration system. Alvin Voo Alvin Voo I’ve watched the tech landscape evolve over the last decade—from the structured days of Java Server Pages to the current "wild west" of Agentic-driven development. While AI can "vibe" a frontend into existence, I specialize in the architecture that keeps it from collapsing. My expertise lies in the critical backend infrastructure: the parts that must be fast, secure, and scalable. I thrive on high-pressure environments, such as when I had only three weeks to architect and launch an Ethereum redemption system with minimal prior crypto knowledge, turning it into a major revenue stream. What I bring to your project: Forensic Debugging: I don't just "patch" bugs; I use tools like Datadog and Explain Analyzers to map out bottlenecks and resolve root causes—like significantly reducing memory usage by optimizing complex DB joins. Full-Stack Context: Deep experience in Node.js and React, ensuring backends play perfectly with mobile and web teams. Sanity in the Age of AI: I bridge the gap between "best practices" and modern speed, ensuring your project isn't just built fast, but built to last.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Which environment variables are safe to expose in the browser?

Only values that are truly public: your Supabase anon key (with proper RLS), site URL, Google Analytics ID, and public feature flags. Never expose database URLs, secret API keys, or payment processor secret keys.

How do I check if my keys have already been exploited?

Check the usage dashboard for each exposed service. Look for API calls you didn't make, unexpected charges, or unfamiliar data in your database. Also check if your .env file appears in any public Git commits.

Related Bolt Issues

Missing Input Sanitization in Bolt App Forms

security

SQL Injection in Bolt AI-Generated Database Queries

security

Insecure Cookie Configuration in Bolt Application

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help