Bolt
security
Environment Variables Exposed in Bolt Client Bundle
Your Bolt.new application is bundling sensitive environment variables into the client-side JavaScript code. Anyone who opens browser DevTools can see your API keys, database connection strings, Stripe secret keys, or other credentials that should never leave the server.
This happens because Bolt's AI may prefix environment variables with VITE_ or NEXT_PUBLIC_, which tells the bundler to include them in the frontend build. While this is correct for public configuration like your site URL, it exposes any secret placed behind those prefixes.
The exposure is often discovered when you receive a massive bill from a third-party API, notice unauthorized data in your database, or when a user reports finding credentials in your page source. By then, the damage may already be done.
Error Messages You Might See
Unauthorized: Invalid API key detected from client IP
403 Forbidden - API key restricted to server-side use only
Billing alert: Unusual API usage spike detected
Warning: Secret key should not be used in client-side code
Common Causes
- VITE_ prefix on secret keys — Bolt generated environment variables like VITE_STRIPE_SECRET_KEY or VITE_DATABASE_URL, causing Vite to bundle them into client JavaScript
- Hardcoded secrets in source files — API keys placed directly in .ts or .tsx files rather than using environment variables at all
- No backend proxy for API calls — The app calls third-party APIs (OpenAI, Stripe, Twilio) directly from the browser with embedded keys
- All env vars loaded client-side — A shared config file imports every environment variable and is used in both server and client code
- .env file committed to Git — The .env file containing all secrets was committed to the repository and is visible in the build output
How to Fix It
- Audit your bundle for secrets — Open browser DevTools, go to Sources, and search for 'key', 'secret', 'password', 'token', 'DATABASE' in your JavaScript bundles
- Remove VITE_ prefix from secrets — Rename VITE_STRIPE_SECRET_KEY to STRIPE_SECRET_KEY so it is only available server-side
- Create server-side API routes — Move all third-party API calls to backend routes or Supabase Edge Functions where secrets stay on the server
- Rotate all compromised credentials — If secrets were exposed in production, immediately generate new keys in each provider's dashboard and revoke the old ones
- Separate public and private config — Create two config files: one for public values (VITE_ prefixed) and one for server-only values (no prefix)
- Add .env to .gitignore — Ensure your .env file is listed in .gitignore and remove it from Git history with git filter-branch or BFG Repo Cleaner
Real developers can help you.
Vlad Temian
15+ years shipping production infrastructure for startups. Former CTO at qed.builders (acquired by The Sandbox).
Cursor ambassador and agentic tooling builder.
I've scaled systems, automated deployments, and built observability tools for AI coding workflows. I specialize in taking vibe-coded apps from broken prototype to production-ready: fixing Supabase auth/RLS, Stripe integrations, deployment pipelines, and cleaning up AI-generated spaghetti.
I build tools in this space (agentprobe, claudebin, micode) and understand both sides: how AI generates code and why it breaks.
https://blog.vtemian.com/
MFox
Full-stack professional senior engineer (15+years). Extensive experience in software development, qa, and IP networking.
Jacek Rozanski
Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004).
Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month.
What I bring to AI-built apps:
- I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0
- I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture)
- I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting
- I integrate external services: payment providers, email systems, partner APIs, SSO/auth
Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code.
Based in Poland (CET timezone). Available for async work and calls during EU/US business hours.
Caio Rodrigues
I'm a full-stack developer focused on building practical and scalable web applications. My main experience is with **React, TypeScript, and modern frontend architectures**, where I prioritize clean code, component reusability, and maintainable project structures.
I have strong experience working with **dynamic forms, state management (Redux / React Hook Form), and complex data-driven interfaces**. I enjoy solving real-world problems by turning ideas into reliable software that companies can actually use in their daily operations.
Beyond coding, I care about **software quality and architecture**, following best practices for componentization, code organization, and performance optimization.
I'm also comfortable working across the stack when needed, integrating APIs, handling business logic, and helping transform prototypes into production-ready systems.
My goal is always to deliver solutions that are **simple, efficient, and genuinely useful for the people using them.**
Milan Surelia
Milan Surelia is a Mobile App Developer with 5+ years of experience crafting scalable, cross-platform apps at 7Span and Meticha. At 7Span, he engineers feature-rich Flutter apps with smooth performance and modern UI. As the Co-Founder of Meticha, he builds open-source tools and developer-focused products that solve real-world problems.
Expertise:
💡 Developing cross-platform apps using Flutter, Dart, and Jetpack Compose for Android, iOS, and Web.
🖋️ Sharing insights through technical writing, blogging, and open-source contributions.
🤝 Collaborating closely with designers, PMs, and developers to build seamless mobile experiences.
Notable Achievements:
🎯 Revamped the Vepaar app into Vepaar Store & CRM with a 2x performance boost and smoother UX.
🚀 Launched Compose101 — a Jetpack Compose starter kit to speed up Android development.
🌟 Open source contributions on Github & StackOverflow for Flutter & Dart
🎖️ Worked on improving app performance and user experience with smart solutions.
Milan is always happy to connect, work on new ideas, and explore the latest in technology.
David Olverson
Solo dev shipping production apps with AI-assisted development. I specialize in rescuing broken Lovable/Bolt/Cursor builds and taking them to production. 10+ apps shipped including SaaS CRMs, gaming platforms, real estate tools, and Discord bots. Stack: Next.js 16, TypeScript, Tailwind CSS, FastAPI, PostgreSQL, Prisma. I use Claude Code with 50+ custom skills for rapid delivery. Average turnaround: 2-4 weeks from broken prototype to production.
AUXLE
I am a Full Stack Developer experienced in building Websites, Web apps and Cross Platform Mobile Apps for Startups and Companies.
Kingsley Omage
Fullstack software engineer passionate about AI Agents, blockchain, LLMs.
Matthew Butler
Systems Development Engineer @ Amazon Web Services
Stanislav Prigodich
15+ years building iOS and web apps at startups and enterprise companies. I want to use that experience to help builders ship real products - when something breaks, I'm here to fix it.
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
Which environment variables are safe to expose in the browser?
Only values that are truly public: your Supabase anon key (with proper RLS), site URL, Google Analytics ID, and public feature flags. Never expose database URLs, secret API keys, or payment processor secret keys.
How do I check if my keys have already been exploited?
Check the usage dashboard for each exposed service. Look for API calls you didn't make, unexpected charges, or unfamiliar data in your database. Also check if your .env file appears in any public Git commits.