McAfee does not have a public REST API for independent developers. The 'McAfee function' search query likely refers to security scanning or threat detection features. The practical alternatives for building security features in Bolt.new are: VirusTotal's free API for file and URL scanning, Snyk's API for dependency vulnerability scanning, or Google Safe Browsing API for URL safety checks — all of which have open, well-documented APIs.
Building Security Features in Bolt.new: Developer-Friendly Alternatives to McAfee
McAfee is a consumer and enterprise security product company — not a developer platform. McAfee's enterprise product line has rebranded to Trellix, and neither McAfee nor Trellix provides a publicly accessible REST API for independent developers to integrate security scanning features into their web applications. There is no developer console, no API key registration, and no publicly documented API endpoints available outside of enterprise partnership agreements.
The 'McAfee function' search query most commonly comes from developers looking to add threat detection, URL safety checking, or file scanning to their apps. These are genuine use cases that several developer-focused security APIs address well. VirusTotal (owned by Google) provides a free API that scans URLs, domains, IP addresses, and file hashes against 70+ antivirus engines and security vendors — including McAfee's engine — and returns aggregated results. Google Safe Browsing is a free API specifically for real-time URL safety checks, widely used in browsers and apps to warn about phishing and malware sites. Snyk provides a vulnerability database API focused on known CVEs in open-source packages across npm, Python, Java, and other ecosystems.
For Bolt.new integrations, all three of these APIs use standard HTTP requests with API key authentication. They work as outbound calls from Next.js API routes in Bolt's WebContainer without any deployment required. Building a security scanner dashboard in Bolt is a practical, well-supported use case with these APIs.
Integration method
McAfee does not provide a public REST API for external developers. For security scanning features in Bolt.new apps, the recommended approach is to use VirusTotal's open API for malware and URL scanning, Snyk's API for dependency vulnerability detection, or Google Safe Browsing API for real-time URL safety checks. These APIs are purpose-built for developer integration and work seamlessly via Next.js API routes.
Prerequisites
- A VirusTotal account (free) and API key from virustotal.com/gui/my-apikey
- A Google Cloud project with Safe Browsing API enabled and an API key from console.cloud.google.com
- For Snyk: a Snyk account (free tier available) and API token from app.snyk.io/account
- A Next.js project in Bolt.new (prompt 'Create a Next.js app' to get started)
Step-by-step guide
Understand McAfee's API limitations and configure security API keys
Understand McAfee's API limitations and configure security API keys
McAfee and its enterprise successor Trellix are end-product security vendors, not API platforms for developers. McAfee does not publish API documentation for public use, and there is no registration path to obtain API credentials. Some enterprise security platforms (like Trellix's XDR) have internal APIs for their enterprise customers, but these are not accessible to independent web developers and require purchase of enterprise software licenses. For building security features in Bolt.new apps, three developer-friendly APIs cover the most common use cases. VirusTotal's free API tier allows 500 requests per day and 4 requests per minute — sufficient for most development and moderate production use. The API scans URLs, domains, IP addresses, and file hashes against 70+ security vendors' engines and databases. Get your API key from virustotal.com/gui/my-apikey after creating a free account. Google Safe Browsing is free for up to 10,000 requests per day per API key and requires a Google Cloud project. Enable it at console.cloud.google.com → APIs & Services → Library → search 'Safe Browsing API'. This API returns threat types (MALWARE, SOCIAL_ENGINEERING, UNWANTED_SOFTWARE, POTENTIALLY_HARMFUL_APPLICATION) for URLs in real time. Snyk's API is free for open-source projects and provides vulnerability data for npm, PyPI, Maven, NuGet, and other package ecosystems. Get your API token from app.snyk.io/account. The free tier provides 200 test runs per month. All three APIs use standard Bearer token or API key authentication and return JSON responses, making them straightforward to integrate from Bolt's Next.js API routes.
Create a Next.js app with a security scanning setup. Add a .env.local file with VIRUSTOTAL_API_KEY, GOOGLE_SAFE_BROWSING_KEY, and SNYK_API_TOKEN as placeholder variables. Create a /api/security/status route that returns which APIs are configured (without exposing the actual key values) — useful for verifying setup is complete.
Paste this in Bolt.new chat
1// .env.local2VIRUSTOTAL_API_KEY=your_virustotal_api_key3GOOGLE_SAFE_BROWSING_KEY=your_google_api_key4SNYK_API_TOKEN=your_snyk_api_tokenPro tip: VirusTotal's free API key has a rate limit of 4 requests per minute and 500 per day. Add rate limiting to your API routes to prevent users from exhausting your daily quota — for example, limit URL checks to 10 per hour per IP address.
Expected result: Your .env.local is configured with all three security API keys. Calling /api/security/status confirms which APIs are ready without exposing the actual credential values.
Build a URL safety checker using VirusTotal and Google Safe Browsing
Build a URL safety checker using VirusTotal and Google Safe Browsing
VirusTotal provides two URL analysis approaches. The first is a URL scan: submit the URL to POST /urls and get back an analysis ID, then poll GET /analyses/{analysisId} for results. This works well for deep analysis but takes 30-60 seconds. The second is a URL lookup: if VirusTotal has previously seen the URL, GET /urls/{base64-encoded-url} returns cached results instantly. For a user-facing URL checker, use the lookup first and fall back to a fresh scan only if no cached result exists. The VirusTotal URL identifier is the base64 URL-safe encoding (no padding) of the URL. In JavaScript: btoa(url).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''). Google Safe Browsing uses a different model: you send a POST request to the Lookup API with a list of URLs and it returns which (if any) match known threat entries in Google's database. The response is immediate (no polling). The lookupThreatLists endpoint: POST https://safebrowsing.googleapis.com/v4/threatMatches:find?key={apiKey} with a JSON body specifying client info, threat types to check, and the URLs. Combining both APIs in a single endpoint gives you comprehensive URL safety data: VirusTotal provides coverage from 70+ security vendors (including McAfee, Kaspersky, Avast), while Google Safe Browsing specifically covers phishing and malware sites Google has indexed. Together they catch a higher percentage of threats than either alone. These outbound API calls work perfectly in Bolt's WebContainer during development — no deployment needed to test URL scanning.
Build a /api/security/check-url POST route that checks a URL against both VirusTotal and Google Safe Browsing. For VirusTotal: get the base64-encoded URL identifier and call the VirusTotal URL lookup endpoint. For Google Safe Browsing: call the threatMatches:find endpoint. Return a combined result: { url, virusTotal: { malicious, suspicious, clean, total }, safeBrowsing: { safe, threats }, overallStatus: 'safe'|'suspicious'|'dangerous' }.
Paste this in Bolt.new chat
1// app/api/security/check-url/route.ts2import { NextRequest, NextResponse } from 'next/server';34const VT_API = 'https://www.virustotal.com/api/v3';5const SB_API = 'https://safebrowsing.googleapis.com/v4';67const VT_KEY = process.env.VIRUSTOTAL_API_KEY ?? '';8const SB_KEY = process.env.GOOGLE_SAFE_BROWSING_KEY ?? '';910function urlToVtId(url: string): string {11 return btoa(url).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');12}1314export async function POST(request: NextRequest) {15 const { url } = await request.json();1617 if (!url || typeof url !== 'string') {18 return NextResponse.json({ error: 'url is required' }, { status: 400 });19 }2021 const [vtResult, sbResult] = await Promise.allSettled([22 // VirusTotal URL lookup23 fetch(`${VT_API}/urls/${urlToVtId(url)}`, {24 headers: { 'x-apikey': VT_KEY },25 }).then((r) => r.json()),2627 // Google Safe Browsing28 fetch(`${SB_API}/threatMatches:find?key=${SB_KEY}`, {29 method: 'POST',30 headers: { 'Content-Type': 'application/json' },31 body: JSON.stringify({32 client: { clientId: 'bolt-security-scanner', clientVersion: '1.0' },33 threatInfo: {34 threatTypes: ['MALWARE', 'SOCIAL_ENGINEERING', 'UNWANTED_SOFTWARE'],35 platformTypes: ['ANY_PLATFORM'],36 threatEntryTypes: ['URL'],37 threatEntries: [{ url }],38 },39 }),40 }).then((r) => r.json()),41 ]);4243 const vtData = vtResult.status === 'fulfilled' ? vtResult.value : null;44 const sbData = sbResult.status === 'fulfilled' ? sbResult.value : null;4546 const vtStats = vtData?.data?.attributes?.last_analysis_stats ?? null;47 const sbThreats: string[] = sbData?.matches?.map((m: { threatType: string }) => m.threatType) ?? [];4849 const malicious = vtStats?.malicious ?? 0;50 const suspicious = vtStats?.suspicious ?? 0;51 const total = vtStats ? Object.values(vtStats).reduce((a: number, b) => a + (b as number), 0) : 0;5253 const overallStatus =54 sbThreats.length > 0 || malicious >= 355 ? 'dangerous'56 : malicious > 0 || suspicious >= 357 ? 'suspicious'58 : 'safe';5960 return NextResponse.json({61 url,62 virusTotal: { malicious, suspicious, clean: total - malicious - suspicious, total },63 safeBrowsing: { safe: sbThreats.length === 0, threats: sbThreats },64 overallStatus,65 });66}Pro tip: VirusTotal's URL lookup returns 'Not Found' (404) for URLs it has never seen. Handle the 404 response by either returning 'unknown' status or submitting the URL for a fresh scan using POST /urls and returning a 'Scan in progress' response with the analysis ID.
Expected result: Submitting a URL to /api/security/check-url returns combined threat data from VirusTotal and Google Safe Browsing, with an overall safety status of safe, suspicious, or dangerous.
Build a dependency vulnerability scanner with Snyk
Build a dependency vulnerability scanner with Snyk
Snyk's vulnerability database covers millions of known CVEs across multiple package ecosystems. For npm packages, you can query the Snyk REST API to get vulnerability data for specific package versions. This is valuable for developer tools, security dashboards, and automated checks that run as part of a build or review process. Snyk's API endpoint for package vulnerability data: GET https://api.snyk.io/rest/orgs/{orgId}/packages/npm/{packageName}/{version}/issues returns vulnerabilities for a specific npm package and version. You need your organization ID (found in Snyk account settings) and your API token (from app.snyk.io/account). Each vulnerability in the response includes: id (CVE identifier), title, severity (critical/high/medium/low), description, introduced through (affected versions), fixed in (versions that fix the issue), and a CVSS score. Use the fixed_in field to show users which version to upgrade to. For parsing a package.json to get multiple packages at once, iterate through dependencies and devDependencies, strip the version prefix characters (^, ~), and make a separate API call for each package. For 20-30 packages, this is manageable — but run them in parallel with Promise.allSettled to stay within Snyk's rate limits while keeping the total request time reasonable. This outbound API call works fine in Bolt's WebContainer during development. You can test your dependency scanner against real package data without deploying.
Build a /api/security/scan-packages POST route that accepts an array of { name, version } objects and queries the Snyk API for vulnerabilities in each package. Return results as an array: { name, version, vulnerabilities: [{ id, title, severity, fixedIn }], totalCount: { critical, high, medium, low } }. Build a UI with a textarea for entering packages (name@version format) and a scan button that calls this route and displays results as a color-coded table.
Paste this in Bolt.new chat
1// app/api/security/scan-packages/route.ts2import { NextRequest, NextResponse } from 'next/server';34const SNYK_API = 'https://api.snyk.io/rest';5const SNYK_TOKEN = process.env.SNYK_API_TOKEN ?? '';6const SNYK_ORG_ID = process.env.SNYK_ORG_ID ?? '';78type PackageInput = { name: string; version: string };910async function getPackageVulnerabilities(pkg: PackageInput) {11 // Clean version string (remove ^, ~, >=, etc.)12 const cleanVersion = pkg.version.replace(/^[^0-9]*/, '');1314 const url = `${SNYK_API}/orgs/${SNYK_ORG_ID}/packages/npm%2F${encodeURIComponent(pkg.name)}%40${cleanVersion}/issues?version=2024-10-15`;1516 const res = await fetch(url, {17 headers: {18 Authorization: `token ${SNYK_TOKEN}`,19 'Content-Type': 'application/json',20 },21 });2223 if (res.status === 404) return { ...pkg, vulnerabilities: [], error: 'Package not found' };24 if (!res.ok) return { ...pkg, vulnerabilities: [], error: `Snyk API error ${res.status}` };2526 const data = await res.json();27 const issues = data.data ?? [];2829 const vulnerabilities = issues.map((issue: {30 attributes: { title: string; severity: string; effective_severity_level: string; coordinates?: Array<{ remedies?: Array<{ details?: { upgrade_package?: string } }> }> };31 id: string;32 }) => ({33 id: issue.id,34 title: issue.attributes.title,35 severity: issue.attributes.effective_severity_level ?? issue.attributes.severity,36 fixedIn: issue.attributes.coordinates?.[0]?.remedies?.[0]?.details?.upgrade_package ?? 'No fix available',37 }));3839 const counts = vulnerabilities.reduce(40 (acc: Record<string, number>, v: { severity: string }) => {41 acc[v.severity] = (acc[v.severity] ?? 0) + 1;42 return acc;43 },44 { critical: 0, high: 0, medium: 0, low: 0 }45 );4647 return { ...pkg, cleanVersion, vulnerabilities, totalCount: counts };48}4950export async function POST(request: NextRequest) {51 const { packages } = await request.json();5253 if (!Array.isArray(packages) || packages.length === 0) {54 return NextResponse.json({ error: 'packages array is required' }, { status: 400 });55 }5657 const results = await Promise.allSettled(58 packages.slice(0, 20).map(getPackageVulnerabilities) // Limit to 20 packages59 );6061 const scanResults = results.map((r) =>62 r.status === 'fulfilled' ? r.value : { error: 'Scan failed' }63 );6465 return NextResponse.json({ results: scanResults });66}Pro tip: Snyk's API version parameter (e.g., ?version=2024-10-15) is required in all REST API calls. Check Snyk's developer documentation for the latest stable API date to use — older dates may return deprecated response formats.
Expected result: Submitting a list of npm packages returns vulnerability data from Snyk with severity counts per package. The results table shows packages color-coded by their highest vulnerability severity.
Deploy the security scanner and build a combined dashboard
Deploy the security scanner and build a combined dashboard
A security scanner dashboard combining VirusTotal URL checking, Google Safe Browsing, and Snyk dependency scanning gives users a comprehensive view of their app's security posture in one place. Deploying to Netlify or Vercel is the natural next step once you are satisfied with the development build. Click the Publish button in Bolt to deploy to Netlify. After deployment, add your security API keys as environment variables in Netlify's Site Settings → Environment Variables: VIRUSTOTAL_API_KEY, GOOGLE_SAFE_BROWSING_KEY, SNYK_API_TOKEN, SNYK_ORG_ID. Never expose these keys with NEXT_PUBLIC_ prefix — security API credentials must remain server-side. For the combined security dashboard, build a page with tabs for each scanner: URL Safety (using VirusTotal + Safe Browsing), Dependency Check (using Snyk), and ideally a Summary tab showing recent scan history stored in Supabase. The summary table would show the last 50 URL scans with their safety status, useful for auditing what links have been submitted through your app. Note that VirusTotal's free API rate limits (4 requests per minute) can become a constraint in production. Implement client-side rate limiting by disabling the scan button for 15 seconds after each request. For higher volume needs, VirusTotal's premium plans provide higher rate limits. Similarly, Google Safe Browsing's free tier allows 10,000 requests per day — more than sufficient for most Bolt app use cases. Since these are outbound API calls, no webhook configuration is needed. The security scanner dashboard works entirely as a request-response application without needing incoming events from external services. However, Bolt's WebContainer cannot receive inbound connections from any external service, which would be relevant if you were using a push-based security monitoring service rather than on-demand APIs.
Build a unified security dashboard page with three sections: (1) URL Safety Checker with an input field and scan button that calls /api/security/check-url and shows a color-coded result card, (2) Dependency Scanner with a textarea input and scan button that calls /api/security/scan-packages and shows a vulnerability table, (3) Recent Scans table showing the last 20 URL checks with their results stored in component state. Add a 'Clear History' button. Make the dashboard mobile-responsive.
Paste this in Bolt.new chat
1// app/api/security/status/route.ts2// Health check for security API configuration3import { NextResponse } from 'next/server';45export async function GET() {6 return NextResponse.json({7 apis: {8 virusTotal: Boolean(process.env.VIRUSTOTAL_API_KEY),9 googleSafeBrowsing: Boolean(process.env.GOOGLE_SAFE_BROWSING_KEY),10 snyk: Boolean(process.env.SNYK_API_TOKEN) && Boolean(process.env.SNYK_ORG_ID),11 },12 rateLimits: {13 virusTotal: '500 requests/day, 4/minute (free tier)',14 googleSafeBrowsing: '10,000 requests/day (free)',15 snyk: '200 test runs/month (free tier)',16 },17 });18}Pro tip: Add a rate limiting middleware to your security scan routes to prevent a single user from exhausting your daily API quotas. A simple approach: track request counts per IP in a Map with a 1-hour expiry and return 429 if the limit is exceeded.
Expected result: The security dashboard is deployed and accessible at a public URL. URL scanning and dependency checking work against live data from VirusTotal, Google Safe Browsing, and Snyk. The status endpoint confirms all API keys are configured.
Common use cases
URL safety scanner for user-submitted links
Add a safety check to any feature where users submit URLs — contact forms, link aggregators, or content submission tools. Before processing the URL, check it against VirusTotal and Google Safe Browsing to detect phishing, malware, or spam URLs, and warn users or block submission of dangerous links.
Build a URL safety checker component. When a user enters a URL and clicks 'Check Safety', call /api/security/check-url which checks the URL against both VirusTotal API and Google Safe Browsing API. Show a safety result card: green 'Safe' if both pass, yellow 'Suspicious' if only one flags it, red 'Dangerous' if both flag it. Show the number of VirusTotal engines that flagged the URL.
Copy this prompt to try it in Bolt.new
npm package vulnerability dashboard
Build a developer tool that accepts a package.json file or a list of npm package names and versions, checks them all against Snyk's vulnerability database, and returns a prioritized list of vulnerabilities with severity ratings and remediation advice — helping developers keep their dependencies secure.
Build a dependency security scanner page. Accept a list of npm packages (name@version format, one per line) in a textarea. Call /api/security/scan-packages which queries the Snyk vulnerability API for each package. Display results as a table: package name, version, vulnerability count (critical/high/medium/low counts colored by severity), and a 'View details' link to the Snyk advisory page.
Copy this prompt to try it in Bolt.new
File hash reputation checker
For apps that handle file uploads, add a pre-upload reputation check: compute the SHA-256 hash of the file on the client side and submit it to VirusTotal before uploading. VirusTotal returns reputation data from its database instantly for known files, catching known malware without uploading the actual file.
Build a file security pre-check feature. Create a React component that accepts a file input. Before upload, compute the SHA-256 hash of the file using the Web Crypto API (runs in browser, no upload needed). Call /api/security/check-hash with the hash, which queries the VirusTotal API for the file's reputation. Show the scan result: 'Clean (0/72 detections)', 'Suspicious (3/72)', or 'Malicious (45/72)' before allowing the actual file upload to proceed.
Copy this prompt to try it in Bolt.new
Troubleshooting
VirusTotal URL lookup returns 404 for URLs that should be in the database
Cause: VirusTotal may not have previously analyzed the specific URL you are checking. The URL lookup endpoint only returns data for URLs that have been submitted for analysis before. New or obscure URLs will return 404.
Solution: Handle the 404 response gracefully by returning an 'Unknown — never scanned' status rather than an error. Optionally, submit the URL for a fresh scan using POST /urls and return a 'Scan initiated' status with the analysis ID. Users can check back or you can poll for results.
1if (res.status === 404) {2 return NextResponse.json({3 url,4 status: 'unknown',5 message: 'URL not in VirusTotal database. No prior scan data available.',6 virusTotal: null,7 });8}Google Safe Browsing API returns 400 Bad Request
Cause: The request body format is incorrect, the API key is missing from the query parameter (it must be in the URL, not a header), or the threatTypes or platformTypes values are not valid enum strings.
Solution: Verify the API key is passed as a query parameter in the URL (?key=YOUR_KEY), not as a header. Check that threatTypes values are exactly: MALWARE, SOCIAL_ENGINEERING, UNWANTED_SOFTWARE, POTENTIALLY_HARMFUL_APPLICATION (case-sensitive). Ensure the threatEntries array is not empty.
1// Correct: API key as URL query parameter2const url = `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${SB_KEY}`;34// Wrong: API key as header (causes 400)5headers: { 'X-API-Key': SB_KEY }Snyk API returns 401 Unauthorized even with what seems like a correct token
Cause: Snyk uses 'token {apiToken}' format (not 'Bearer {apiToken}') for authorization. The organization ID may also be incorrect or missing from the URL path.
Solution: Verify the Authorization header uses 'token' prefix (not 'Bearer'): Authorization: `token ${SNYK_TOKEN}`. Find your organization ID in Snyk's account settings page — it is a UUID like '12345678-abcd-1234-abcd-123456789012'. Double-check SNYK_ORG_ID is set correctly in your .env.local.
1// Correct Snyk auth header format:2headers: { Authorization: `token ${process.env.SNYK_API_TOKEN}` }34// Wrong — Snyk does not use Bearer:5headers: { Authorization: `Bearer ${process.env.SNYK_API_TOKEN}` }Best practices
- Be transparent with users when results come from third-party security APIs — display 'Powered by VirusTotal' and 'Safe Browsing by Google' attribution as these services require attribution in their terms of service.
- Cache security scan results in Supabase for 24-48 hours to avoid re-scanning the same URL repeatedly — URL threat assessments do not change minute-to-minute and caching saves your daily API quota.
- Implement client-side rate limiting in your UI — disable the scan button for 15 seconds after each submission to prevent rapid successive requests from exhausting VirusTotal's 4-per-minute free tier limit.
- Never use security scan results as the sole gatekeeping mechanism for user actions — a clean VirusTotal result does not guarantee safety, and a flagged result may be a false positive. Display results as advisory information, not hard blocks.
- Store all security scan results in your database with timestamps for audit purposes — knowing which URLs were checked, when, and by whom is valuable for security incident investigation.
- For production apps processing many URL submissions, consider upgrading to VirusTotal's premium API tier (1,000+ requests per minute) rather than implementing complex rate limiting logic around the free tier constraints.
- Always handle API failures gracefully — if VirusTotal or Google Safe Browsing returns an error, show 'Security scan unavailable' rather than crashing or blocking the user flow.
Alternatives
Trend Micro is an enterprise security vendor with similarly limited public API access to McAfee — both are best replaced by developer-focused security APIs like VirusTotal or Google Safe Browsing for web app integrations.
Norton is a consumer security product with no public REST API for developers, making VirusTotal or Google Safe Browsing the more practical choices for web app threat detection features.
Duo Security focuses on two-factor authentication and identity verification, a different security use case than McAfee's threat detection — but Duo does have a well-documented API for adding MFA to Bolt apps.
LastPass provides password management with limited API access for enterprise use, focused on credential storage rather than threat scanning — a different security domain from McAfee's antivirus focus.
Frequently asked questions
Does McAfee have a public API I can use in Bolt.new?
No. McAfee (consumer) and Trellix (enterprise, the rebranded McAfee enterprise division) do not provide public REST APIs for independent developers. There is no developer console, no public API documentation, and no API key registration available. For security scanning features in Bolt.new, use VirusTotal, Google Safe Browsing, or Snyk instead — all have open, well-documented APIs with free tiers.
What is the 'McAfee function' that people search for?
The search query likely refers to building security scanning or threat detection functions in an app, using McAfee as a generic reference to antivirus/security functionality. The practical implementation uses developer-friendly APIs: VirusTotal for URL and file hash scanning against 70+ antivirus engines (including McAfee's engine), Google Safe Browsing for phishing detection, or Snyk for dependency vulnerability scanning.
Can I use VirusTotal to get the same data McAfee would provide?
VirusTotal aggregates results from over 70 security vendors, including McAfee's own antivirus engine. When you submit a URL or file hash to VirusTotal, McAfee's scanner is one of the engines that checks it. You will see a row labeled 'McAfee' in the results. So VirusTotal effectively gives you McAfee's threat assessment plus 70 other engines' assessments, in a single API call.
Can I test the VirusTotal integration in Bolt's preview before deploying?
Yes. VirusTotal, Google Safe Browsing, and Snyk API calls are all outbound HTTP requests that work perfectly in Bolt's WebContainer preview. You can build and test your complete security scanner during development without deploying. The only time you need a deployed URL is for webhook-based integrations, which none of these three APIs require for their core scanning functionality.
How do I handle VirusTotal's rate limits in a production Bolt app?
VirusTotal's free API allows 4 requests per minute and 500 per day. Implement rate limiting in your Next.js API route using an in-memory counter or a Redis/Supabase-backed counter. Disable the scan button in the UI for 15 seconds after each submission. Cache scan results for 24 hours using the URL as the cache key. If you exceed the free tier limits frequently, upgrade to VirusTotal's premium plan at virustotal.com/gui/premium.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation