search

stackblitz / bolt.new

Prompt, run, edit, and deploy full-stack web applications
https://bolt.new
MIT License
7.17k stars 2.42k forks source link

The projects are not private by default #112

Open achieveramin opened 1 month ago

achieveramin commented 1 month ago

Describe the bug

The created project is accessible by entering URL only, it's not protected. Which by default should be protected.

Link to the Bolt URL that caused the error

https://bolt.new/~/sb1-4cgrq8

Steps to reproduce

  1. Create a project with some files inside
  2. Copy the URL
  3. Open your browser in incognito mode
  4. Enter the URL and hit "Enter".
  5. You can access to the project.

Expected behavior

It prevents access to the project until the user authenticates and has access to the project.

Screen Recording / Screenshot

No response

Platform

Additional context

No response

kirjavascript commented 1 month ago

Hi! 👋 Thanks for the comments!

I agree, it would be great to have this feature! We're tracking this internally. We'll keep you posted ✨

achieveramin commented 1 month ago

This is a security feature, with a huge priority! Someone can brute force and gain access to lots of projects owned by othes.

sneljeroen commented 1 week ago

I also noticed that private projects are indexed by Google, since they are accessible without authentication.

With a simple "site:bolt.new" search within Google now private projects are accessible to the Public. This seems like a huge security issue, please prioritize this issue.