Lovable Security Checklist
Lovable generates full-stack apps fast. The trade-off: it defaults to permissive Supabase policies and no auth on API routes. Here's every security gap to close before you share the URL.
Why Lovable apps get hacked
Lovable's strength — generate a working app from a prompt — is also its security risk. It scaffolds fast but doesn't enforce Row Level Security by default, doesn't add authentication middleware to every route, and exposes your Supabase anon key in the client bundle (which is expected, but dangerous without RLS).
A scan of 200+ Lovable-built apps found three issues in over 90% of them:
- Supabase tables with no RLS policies — every table readable by anyone
- No authentication check on
/api/*routes that return user data - Missing security headers — no CSP, no HSTS, no X-Frame-Options
The Lovable security checklist
✅ Supabase RLS
- Open Supabase Table Editor → Authentication → Policies for every table
- Ensure no table says "RLS disabled" unless it holds only public data
- Replace
USING (true)withUSING (auth.uid() = user_id) - Test with an anonymous request:
curl -H "apikey: ANON_KEY" URL/rest/v1/your_table— it should return 0 rows or 401
✅ API Route Authentication
- Every
/api/*route that reads or writes user data must callsupabase.auth.getUser()and check the result - Return 401 if no valid session — never return data first and check auth second
- Admin routes must be in
/api/admin/*and protected by a separate middleware check foruser.role === 'admin'
✅ Exposed Secrets
- Your Supabase anon key in client code is expected — but only safe if RLS is enabled on every table
- Any secret with
sk_,OPENAI_API_KEY, orSECRETin the name must NOT be in the client bundle - Check: view source on your deployed app, search for
sk_live,sk-proj, orOPENAI
✅ Security Headers
- Lovable deploys to Vercel/Netlify by default — neither adds security headers automatically
- Add
next.config.mjsheaders: CSP, HSTS, X-Frame-Options, X-Content-Type-Options - Check your current headers: run the free header check
✅ Payment Webhook Security (if using Razorpay/Stripe)
- Webhook endpoints must verify the signature before processing any event
- Lovable's payment scaffold often omits this — check every
/api/webhook*route - For Razorpay: use
validateWebhookSignature(body, signature, secret)
How to scan your Lovable app
Paste your Lovable app URL into Vezraa. The scanner checks all of the above in 25 seconds — exposed keys, RLS issues, missing headers, unprotected admin routes, webhook security, and 90+ more checks.
It works on any deployed URL. You don't need to share your Supabase credentials or repo access.
Scan your Lovable app for security issues in 25 seconds.
Scan My Lovable App →