For Bolt.new users

Your Bolt.new project is hackathon-grade. Make it user-grade for $1.

Bolt is incredible at iterating fast. ‘Iterating fast’ usually means meta tags, headers, alt text and bundle size never got a turn. We catch the lot.

Bolt projects ship clever — and incomplete

We've scanned Bolt-generated landing pages, internal tools, and full-stack apps. The pattern is consistent: the core feature works beautifully, and everything around it (SEO, social previews, accessibility, error pages) was never prompted in.

Real findings — anonymised

The 10 issues we keep finding on Bolt.new projects

Each one is real, severity-ranked, and ships with a one-line fix suggestion in the report.

CRITICALSecurity

API keys hardcoded in src/

Bolt's ‘write me a quick OpenAI integration’ prompts often produce client-side fetch calls with the API key inline. Anyone can scrape it.

HIGHHeaders

Default StackBlitz/Netlify headers

No CSP, no HSTS, no X-Frame-Options. Your app can be iframed on phishing sites that mimic your branding.

HIGHSEO

Single-page app with no pre-render

Bolt's React templates render client-side. Google's crawler sees an empty <div id=root>. You'll never rank for content that lives below that div.

HIGHSEO

Generic <title> across every route

We routinely see the same <title> on every page of a Bolt project — the framework default, never updated per route. Kills both UX and SEO.

HIGHDesign

Default Vite favicon

The Vite lightning bolt is shipped to production on roughly half the Bolt projects we've audited. Tells users ‘this is a demo’.

MEDIUMPerformance

Bundle includes every shadcn primitive

Bolt imports the whole shadcn set even when you use four components. We've measured 600+ KB of unused JS on small landing pages.

MEDIUMAccessibility

Buttons rendered as <div>

AI-generated React often uses <div onClick> instead of <button>. Keyboard users can't tab to them; screen readers don't announce them.

MEDIUMContent

Lorem ipsum left in production

About 1 in 6 Bolt projects we've scanned still had placeholder copy in the footer or a sidebar. We flag it explicitly.

MEDIUMSEO

No sitemap.xml — deep pages invisible to Google

Bolt doesn't auto-generate a sitemap. Your /pricing and /docs pages won't appear in search results unless another site links to them.

MEDIUMSecurity

No SPF or DMARC for custom domain

Anyone can send phishing emails that look like they come from your domain. Two DNS records fix this in five minutes.

Free checklist

Bolt.new pre-launch checklist

Check these before you share your link. The full PageLens audit catches everything else.

Move all API keys to environment variables (never in client-side code)
Replace default Vite favicon with your brand icon
Add unique <title> and <meta description> per route
Set og:image for social sharing previews
Add Content-Security-Policy and X-Frame-Options headers
Replace <div onClick> with <button> for all interactive elements
Add pre-rendering or SSR for SEO-critical content
Search for and remove any lorem ipsum or placeholder copy
Tree-shake unused shadcn components from the bundle
Add a custom error/404 page
Add a sitemap.xml for all public routes
Set up SPF and DMARC DNS records for your domain
Add a cookie consent banner if using analytics

This covers the basics. A full PageLens scan checks hundreds of rules across 10 categories — including the ones that are hard to spot manually.

Paste into your AI builder

Get fixes you can paste straight into Bolt.new

After your scan, download the Markdown report and use this prompt with your AI builder to fix everything automatically.

I scanned my Bolt.new project with PageLens AI. Fix each issue below, starting with CRITICAL severity. Remove any hardcoded API keys and move them to environment variables:

[paste findings here]

From URL to fix-list in five minutes

Drop your URL

Paste the live URL of your Bolt.new project. Pick how many pages to scan.

We crawl + analyse

Real headless Chrome visits every page, captures screenshots, reads the rendered HTML and headers, then a vision-capable AI writes the findings.

Read the report

Severity-ranked findings, screenshots, fix suggestions, security headers grade, PDF export, share link.

Pick your size

Pay per scan from $1 — or subscribe for $5/mo weekly monitoring.

Questions Bolt.new users ask us

Does this work on my StackBlitz preview URL?

Yes — we'll crawl any *.stackblitz.io or *.bolt.new URL. For best results scan your actual production deploy (Netlify, Vercel, etc.) since headers and bundling differ.

I built a hackathon demo. Is $1 overkill?

$1 is what a coffee costs and the report is the difference between a demo that wins and a demo people remember as ‘the one with the broken share preview’. Up to you.

Built with something else?

Audit a Lovable site Audit a v0 site Audit a Replit site Audit a Cursor site All vibe-coding platforms →

Five minutes from URL to a list of every issue holding your project back.

Free instant check — no signup. Full Launch Pack from $29. Refund if we find nothing actionable.

For Bolt.new users

Your Bolt.new project is hackathon-grade. Make it user-grade for $1.

Bolt is incredible at iterating fast. ‘Iterating fast’ usually means meta tags, headers, alt text and bundle size never got a turn. We catch the lot.

Bolt projects ship clever — and incomplete

Real findings — anonymised

The 10 issues we keep finding on Bolt.new projects

Each one is real, severity-ranked, and ships with a one-line fix suggestion in the report.

CRITICALSecurity

API keys hardcoded in src/

Bolt's ‘write me a quick OpenAI integration’ prompts often produce client-side fetch calls with the API key inline. Anyone can scrape it.

HIGHHeaders

Default StackBlitz/Netlify headers

No CSP, no HSTS, no X-Frame-Options. Your app can be iframed on phishing sites that mimic your branding.

HIGHSEO

Single-page app with no pre-render

Bolt's React templates render client-side. Google's crawler sees an empty <div id=root>. You'll never rank for content that lives below that div.

HIGHSEO

Generic <title> across every route

We routinely see the same <title> on every page of a Bolt project — the framework default, never updated per route. Kills both UX and SEO.

HIGHDesign

Default Vite favicon

The Vite lightning bolt is shipped to production on roughly half the Bolt projects we've audited. Tells users ‘this is a demo’.

MEDIUMPerformance

Bundle includes every shadcn primitive

Bolt imports the whole shadcn set even when you use four components. We've measured 600+ KB of unused JS on small landing pages.

MEDIUMAccessibility

Buttons rendered as <div>

AI-generated React often uses <div onClick> instead of <button>. Keyboard users can't tab to them; screen readers don't announce them.

MEDIUMContent

Lorem ipsum left in production

About 1 in 6 Bolt projects we've scanned still had placeholder copy in the footer or a sidebar. We flag it explicitly.

MEDIUMSEO

No sitemap.xml — deep pages invisible to Google

Bolt doesn't auto-generate a sitemap. Your /pricing and /docs pages won't appear in search results unless another site links to them.

MEDIUMSecurity

No SPF or DMARC for custom domain

Anyone can send phishing emails that look like they come from your domain. Two DNS records fix this in five minutes.

Free checklist

Bolt.new pre-launch checklist

Check these before you share your link. The full PageLens audit catches everything else.

Move all API keys to environment variables (never in client-side code)
Replace default Vite favicon with your brand icon
Add unique <title> and <meta description> per route
Set og:image for social sharing previews
Add Content-Security-Policy and X-Frame-Options headers
Replace <div onClick> with <button> for all interactive elements
Add pre-rendering or SSR for SEO-critical content
Search for and remove any lorem ipsum or placeholder copy
Tree-shake unused shadcn components from the bundle
Add a custom error/404 page
Add a sitemap.xml for all public routes
Set up SPF and DMARC DNS records for your domain
Add a cookie consent banner if using analytics

This covers the basics. A full PageLens scan checks hundreds of rules across 10 categories — including the ones that are hard to spot manually.

Paste into your AI builder

Get fixes you can paste straight into Bolt.new

After your scan, download the Markdown report and use this prompt with your AI builder to fix everything automatically.

I scanned my Bolt.new project with PageLens AI. Fix each issue below, starting with CRITICAL severity. Remove any hardcoded API keys and move them to environment variables:

[paste findings here]

From URL to fix-list in five minutes

Drop your URL

Paste the live URL of your Bolt.new project. Pick how many pages to scan.

We crawl + analyse

Real headless Chrome visits every page, captures screenshots, reads the rendered HTML and headers, then a vision-capable AI writes the findings.

Read the report

Severity-ranked findings, screenshots, fix suggestions, security headers grade, PDF export, share link.

Pick your size

Pay per scan from $1 — or subscribe for $5/mo weekly monitoring.

Questions Bolt.new users ask us

Does this work on my StackBlitz preview URL?

Yes — we'll crawl any *.stackblitz.io or *.bolt.new URL. For best results scan your actual production deploy (Netlify, Vercel, etc.) since headers and bundling differ.

I built a hackathon demo. Is $1 overkill?

$1 is what a coffee costs and the report is the difference between a demo that wins and a demo people remember as ‘the one with the broken share preview’. Up to you.

Built with something else?

Audit a Lovable site Audit a v0 site Audit a Replit site Audit a Cursor site All vibe-coding platforms →

Five minutes from URL to a list of every issue holding your project back.

Free instant check — no signup. Full Launch Pack from $29. Refund if we find nothing actionable.