shipshape

← Learn

How to check a Bolt, Replit, v0 or Cursor app before launch

Whatever AI builder you used, the pre-launch risks are the same: leaked secrets, open database rules, downloadable source. Here is how to check any of them.

Bolt.new, Replit, v0, Cursor, Lovable — different tools, same handful of launch risks, because they generate similar frontend + backend patterns. Here’s what to check regardless of which one you used.

The risks don’t change with the tool

How to check, by builder

All of them deploy to a public URL (*.bolt.host, *.replit.app, a Vercel domain for v0, your own host for Cursor). Paste that URL into a passive scanner — it reads the same things an attacker would and flags the issues, no matter which tool wrote the code. Then take the findings back to that builder’s chat as a fix prompt.

The one manual step

The database-rules check (Supabase RLS / Firebase rules) needs you to prove you own the app first, because actively testing someone else’s database without permission isn’t okay. After that it runs read-only.

→ Scan your app, whatever built it

FAQ

Do different AI builders have different security risks?
The risks are largely the same — leaked secrets, open database rules, downloadable source, missing headers — because the tools generate similar frontend and backend patterns. A passive scan of the deployed URL works for any of them.

Can I scan a Bolt or Replit preview URL?
Yes. Paste the public deployed URL. The passive checks work on any host; the database-rules check needs you to verify ownership first.

Related questions

Check your own app
Free passive scan, ~10 seconds, no login.