Security·Bolt
SecurityBolt

Move API keys off the client bundleBolt

Keys in the JavaScript bundle are public. Attackers scan GitHub and deployed bundles for them 24/7. One exposed Stripe secret or OpenAI key can drain your account in hours.

rocket_launch

Fixing this in Bolt

StackBlitz in-browser AI app builder with WebContainers

Bolt uses Vite-based WebContainers. Same rule as Lovable: no `VITE_` prefix for secrets; call a server endpoint.

Using a different tool? Pick your stack:

LovableCursorBoltv0ReplitWindsurfClaude CodeBase44

The prompt for Bolt

Copy and paste this into your Bolt chat exactly as-is.

In Bolt, please update my project with these exact changes:

CRITICAL: Move exposed API keys server-side immediately

1. CRITICAL: API keys are exposed in the frontend code. This is an immediate security risk.
2. Move all secret keys to server-side environment variables.
3. Create server-side endpoints that make API calls on behalf of the frontend.
4. Only public/anon keys should ever be in client-side code.
5. Rotate all leaked keys immediately in each provider dashboard.
6. Add .env* to .gitignore.

Why this matters

Every AI coding tool, when asked to integrate Stripe, OpenAI, or Supabase, has at some point written the secret key directly in a React component. The component ships to the browser, the browser downloads the JS bundle, the secret is now public forever — even after you "fix" it, attackers who scraped the bundle still have it.

Automated bots crawl GitHub, npm, Vercel deployments, and Lovable shares looking for exposed keys. The time from "key pushed" to "key abused" is often under 30 seconds. OpenAI has a team that watches for this and rotates keys automatically — but only if their detection catches it before an attacker does.

This is the #1 security finding in our audits of Lovable and Bolt apps. The fix is always the same: move the key to a server environment variable, create a backend endpoint that the client calls, and let the backend use the secret to talk to the real API.

How to use this prompt in Bolt

  1. 1. Open your Bolt project.
  2. 2. Copy the prompt above with the copy button.
  3. 3. Paste into the Bolt chat and send.
  4. 4. Review the diff, accept the changes, redeploy.
  5. 5. Verify the fix using the checklist below.

Common mistakes to avoid

  • error_outlineUsing `NEXT_PUBLIC_STRIPE_SECRET_KEY` — the prefix made it public. Every `NEXT_PUBLIC_*` ships to the browser.
  • error_outlineCalling OpenAI directly from a React component — the key is downloaded with the JS bundle.
  • error_outlineCommitting `.env` to git instead of `.env.local` — `.env` is often tracked by default.
  • error_outlineUsing the Supabase `service_role` key in a client — it bypasses RLS and reads/writes everything.
  • error_outlineShipping a key in an API route but logging `process.env` on error, leaking into logs.

How to verify the fix worked

  • check_circleOpen DevTools → Sources → search for the key value — must return 0 matches.
  • check_circle`curl https://yoursite.com/ | grep "sk_live"` — returns nothing for Stripe secret keys.
  • check_circleRotate the key after exposure — old keys are compromised forever even if "pulled".
  • check_circleSet up GitGuardian or git-secrets on the repo to catch future leaks pre-commit.

Frequently asked questions

What is the difference between anon and service-role Supabase keys?expand_more
The anon key is public by design and relies on Row Level Security for protection. The service role key bypasses RLS entirely — it must NEVER reach the client.
How do I tell if my key leaked?expand_more
Check your provider dashboard for unusual usage, scan the deployed bundle with `curl URL | grep "sk_"`, and search the public GitHub repo if it was pushed there.
Is the GitHub history a problem if I deleted the key?expand_more
Yes — the key is still in git history and rotation is the only real fix. Use `git filter-repo` to purge history, but always rotate first.

Want all 34 prompts tailored to your Bolt site?

Pantra scans your site in 10 seconds, detects the stack, and generates the exact prompts that apply — only the ones you actually need.

Scan my site

Related Bolt prompts

Security

Enable Supabase Row Level Security on every tableBolt

Prompt to enable RLS on every Supabase table and write sane policies — the #1 security fix for Lovable, Cursor, Bolt, v0, Replit, Windsurf, Claude Code, Base44 apps.

Security

Add security headers (CSP, HSTS, X-Frame, etc.)Bolt

Stack-specific prompt to ship Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy in Lovable, Cursor, Bolt, v0, Replit, Windsurf, Claude Code, Base44.

Security

Force HTTPS and enable HSTSBolt

Prompt to redirect all HTTP to HTTPS and enable HSTS — non-negotiable for modern sites. Works in any stack.

Learn more in the Glossaryarrow_forward