ScavioScavio
ProductPricingDocs
Sign InGet Started
  1. Home
  2. Tutorials
  3. How to Scan Bolt.host Apps for Misconfigurations
Tutorial

How to Scan Bolt.host Apps for Misconfigurations

Bolt.new apps often deploy with exposed API keys and open CORS. Audit apps hosted on bolt.host using Scavio SERP dorks.

Get Free API KeyAPI Docs

Bolt.new ships AI-generated apps to bolt.host subdomains in seconds, but the default templates often ship exposed API keys in client bundles and permissive CORS. This tutorial shows an ethical scan workflow that finds misconfigs in your own Bolt apps using Scavio SERP discovery.

Prerequisites

  • Python 3.10+
  • A Scavio API key
  • Written permission for any target domain
  • requests library

Walkthrough

Step 1: Enumerate Bolt-hosted apps

SERP dorks find apps indexed under bolt.host.

Python
DORKS = [
  'site:bolt.host',
  'site:bolt.host api_key',
  'site:bolt.host \"supabase\" OR \"firebase\"'
]

Step 2: Collect candidate URLs

Run each dork through Scavio.

Python
import requests, os
API_KEY = os.environ['SCAVIO_API_KEY']

def enumerate():
    urls = set()
    for d in DORKS:
        r = requests.post('https://api.scavio.dev/api/v1/search',
            headers={'x-api-key': API_KEY}, json={'query': d, 'num_results': 50})
        for h in r.json().get('organic_results', []):
            urls.add(h['link'])
    return urls

Step 3: Fetch client JS bundles

Look for leaked secrets in the bundled JS.

Python
import re
SECRET_PATTERNS = [r'sk_live_[A-Za-z0-9]{20,}', r'AIza[A-Za-z0-9_-]{30,}', r'eyJ[A-Za-z0-9_-]{20,}']

def scan_bundle(url):
    html = requests.get(url, timeout=10).text
    js_urls = re.findall(r'src=\"([^\"]+\.js)\"', html)
    hits = []
    for j in js_urls:
        full = j if j.startswith('http') else url.rstrip('/') + j
        body = requests.get(full, timeout=10).text
        for p in SECRET_PATTERNS:
            hits += re.findall(p, body)
    return hits

Step 4: Test CORS policy

Check for Access-Control-Allow-Origin: *.

Python
def cors_check(url):
    r = requests.options(url, headers={'Origin': 'https://evil.example'})
    return r.headers.get('Access-Control-Allow-Origin') == '*'

Step 5: Report

Write a per-app finding with severity.

Python
def report(url, secrets, cors_wide):
    if secrets or cors_wide:
        print(f'[{url}] secrets={len(secrets)} cors_wide={cors_wide}')

Python Example

Python
import os, requests, re

API_KEY = os.environ['SCAVIO_API_KEY']
PATTERNS = [r'sk_live_[A-Za-z0-9]{20,}', r'AIza[A-Za-z0-9_-]{30,}']

def scan():
    r = requests.post('https://api.scavio.dev/api/v1/search',
        headers={'x-api-key': API_KEY},
        json={'query': 'site:bolt.host my-app', 'num_results': 20})
    for h in r.json().get('organic_results', []):
        html = requests.get(h['link'], timeout=10).text
        secrets = []
        for p in PATTERNS: secrets += re.findall(p, html)
        if secrets: print(f'[{h["link"]}] leaked secrets: {len(secrets)}')

scan()

JavaScript Example

JavaScript
const API_KEY = process.env.SCAVIO_API_KEY;
const PATTERNS = [/sk_live_[A-Za-z0-9]{20,}/g, /AIza[A-Za-z0-9_-]{30,}/g];

export async function scan() {
  const r = await fetch('https://api.scavio.dev/api/v1/search', {
    method: 'POST',
    headers: { 'x-api-key': API_KEY, 'Content-Type': 'application/json' },
    body: JSON.stringify({ query: 'site:bolt.host my-app', num_results: 20 })
  });
  const data = await r.json();
  for (const h of data.organic_results || []) {
    const html = await (await fetch(h.link)).text();
    const secrets = PATTERNS.flatMap(p => html.match(p) || []);
    if (secrets.length) console.log(`[${h.link}] ${secrets.length} secrets`);
  }
}

Expected Output

JSON
Per-URL list of leaked secrets and CORS posture. Typical finding rate: 5-15% of Bolt apps have at least one exposed key.

Related Tutorials

  • How to Audit Supabase RLS Misconfigs at Scale via SERP
  • How to Audit Your Site for LLM Readability
  • How to Build an SEO Audit Tool with SERP and Competitor Analysis

Frequently Asked Questions

Most developers complete this tutorial in 15 to 30 minutes. You will need a Scavio API key (free tier works) and a working Python or JavaScript environment.

Python 3.10+. A Scavio API key. Written permission for any target domain. requests library. A Scavio API key gives you 50 free credits on signup.

Yes. The free tier includes 50 credits on signup, which is more than enough to complete this tutorial and prototype a working solution.

Scavio has a native LangChain package (langchain-scavio), an MCP server, and a plain REST API that works with any HTTP client. This tutorial uses the raw REST API, but you can adapt to your framework of choice.

Related Resources

Best Of

Best Search API for Bolt.new in 2026

Read more Best Of

Best API for SERP-Based Security Audits in 2026

Read more Workflow

Bolt.host App Misconfiguration Monitor

Read more Use Case

Search API Legal Audit

Read more Solution

Add Real Search to Bolt.new Apps

Read more Glossary

App Intelligence API

Read more

Start Building

Bolt.new apps often deploy with exposed API keys and open CORS. Audit apps hosted on bolt.host using Scavio SERP dorks.

Get Free API KeyRead the Docs
ScavioScavio

Real-time search API for AI agents. Search every platform, not just Google.

Product

  • Features
  • Pricing
  • Dashboard
  • Affiliates

Developers

  • Documentation
  • API Reference
  • Quickstart
  • MCP Integration
  • Python SDK

Alternatives

  • Tavily Alternative
  • SerpAPI Alternative
  • Firecrawl Alternative
  • Exa Alternative

Tools

  • JSON Formatter
  • cURL to Code
  • Token Counter
  • All Tools

© 2026 Scavio. All rights reserved.

Featured on TAAFT
Terms of ServicePrivacy Policy