Skip to content
Platform Guide

Lovable Security Checklist

Lovable generates full-stack apps fast. The trade-off: it defaults to permissive Supabase policies and no auth on API routes. Here's every security gap to close before you share the URL.

Why Lovable apps get hacked

Lovable's strength — generate a working app from a prompt — is also its security risk. It scaffolds fast but doesn't enforce Row Level Security by default, doesn't add authentication middleware to every route, and exposes your Supabase anon key in the client bundle (which is expected, but dangerous without RLS).

A scan of 200+ Lovable-built apps found three issues in over 90% of them:

  • Supabase tables with no RLS policies — every table readable by anyone
  • No authentication check on /api/* routes that return user data
  • Missing security headers — no CSP, no HSTS, no X-Frame-Options

The Lovable security checklist

✅ Supabase RLS

  • Open Supabase Table Editor → Authentication → Policies for every table
  • Ensure no table says "RLS disabled" unless it holds only public data
  • Replace USING (true) with USING (auth.uid() = user_id)
  • Test with an anonymous request: curl -H "apikey: ANON_KEY" URL/rest/v1/your_table — it should return 0 rows or 401

✅ API Route Authentication

  • Every /api/* route that reads or writes user data must call supabase.auth.getUser() and check the result
  • Return 401 if no valid session — never return data first and check auth second
  • Admin routes must be in /api/admin/* and protected by a separate middleware check for user.role === 'admin'

✅ Exposed Secrets

  • Your Supabase anon key in client code is expected — but only safe if RLS is enabled on every table
  • Any secret with sk_, OPENAI_API_KEY, or SECRET in the name must NOT be in the client bundle
  • Check: view source on your deployed app, search for sk_live, sk-proj, or OPENAI

✅ Security Headers

  • Lovable deploys to Vercel/Netlify by default — neither adds security headers automatically
  • Add next.config.mjs headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
  • Check your current headers: run the free header check

✅ Payment Webhook Security (if using Razorpay/Stripe)

  • Webhook endpoints must verify the signature before processing any event
  • Lovable's payment scaffold often omits this — check every /api/webhook* route
  • For Razorpay: use validateWebhookSignature(body, signature, secret)

How to scan your Lovable app

Paste your Lovable app URL into Vezraa. The scanner checks all of the above in 25 seconds — exposed keys, RLS issues, missing headers, unprotected admin routes, webhook security, and 90+ more checks.

It works on any deployed URL. You don't need to share your Supabase credentials or repo access.

Scan your Lovable app for security issues in 25 seconds.

Scan My Lovable App →

Related guides

Lovable Security Checklist — Vezraa