Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Security for vibe-coded apps

Is Lovable secure? The one setting that decides it

July 18, 2026·6 min read
An open door spilling light into a dark room — a database left reachable without its access rules set.

Lovable isn't insecure. But a Lovable app can be wide open, and the difference is one setting most builders never touch. The honest answer to "is Lovable secure?" is: it depends entirely on what you did after it generated the app.

This isn't hypothetical hand-waving. The gap has a CVE and a headcount attached to it. Here's how Lovable apps are wired, the exact place they leak, and how to check yours.

How a Lovable app is put together

Lovable generates a frontend and, for anything that needs to store data, wires it to Supabase — a hosted Postgres database. To talk to that database from the browser, the app ships with a Supabase anon key baked into the frontend.

That key is public by design. Every visitor has it — you can read it out of the page source. It's only safe because it's supposed to be fenced in by Row Level Security: database rules that decide which rows each user is allowed to touch. No RLS, no fence.

The gap that hit 170 projects

Here's the trap. Supabase turns RLS on automatically only when you create a table through its Table Editor. Tables created any other way — raw SQL, a migration, or an AI tool writing the schema for you — don't get RLS by default. And an AI builder writes a lot of schema for you.

So the public key ends up pointed at tables with no fence around them. Anyone who opens the app, grabs the key, and queries the database reads every row — other users' emails, private records, the lot.

CVE-2025-48757
the 2025 disclosure of this exact RLS gap in Lovable apps
10.3%
of analyzed Lovable projects had tables readable by anyone
Table Editor
the only path where Supabase enables RLS for you
anon key
public by design — safe only when RLS is on

Those figures come from a 2025 disclosure by security researcher Matt Palmer (CVE-2025-48757), who found hundreds of endpoints across scanned Lovable projects returning data to unauthenticated requests. The point isn't that Lovable is uniquely bad — it's that the default is "works," not "locked down," and the two look identical from the front end.

The other key you must never ship

Supabase gives you a second key, the service_role key, which bypasses RLS entirely — full read/write on everything. It exists for trusted server-side code.

If generated code ever puts the service_role key in the browser to make an admin action "just work," every RLS policy you wrote is moot. That key belongs on the server only. Check for it before anything else.

Making your Lovable app actually secure

  1. Enable RLS on every table in the public schema. Don't assume it's on — check each one. Anything created outside the Table Editor is guilty until proven otherwise.
  2. Write real policies. RLS on with an "allow everyone" policy is no better than off. Each policy should tie rows to the user, e.g. auth.uid() = user_id.
  3. Keep the service_role key server-side. Never in client code. Grep the frontend for it.
  4. Move any other secrets out of the bundle — third-party API keys, payment secrets — into server-side env vars.
  5. Check the outside view too — security headers, SSL, cookies — the defaults an app builder rarely sets.

The fastest way through the database side is to make the AI check its own work, table by table:

paste into Claude or ChatGPT
My app was built with Lovable and uses Supabase. Audit it specifically for the Row Level Security gap that Lovable apps commonly ship with.

1. List every table in my public schema and tell me, for each one, whether Row Level Security is ENABLED. Flag any table that has RLS off — those are readable/writable by anyone with the public anon key.
2. For each table that has RLS on, show me its policies and tell me plainly whether they actually restrict rows to the owning user (e.g. auth.uid() = user_id), or whether a policy is effectively "allow everyone".
3. Check where my Supabase keys are used: confirm the service_role key is NEVER used in client-side / browser code, only the anon key. Flag any client init that uses the service role key.
4. Point out any table that was created via SQL, a migration, or generated code rather than the Table Editor — those don't get RLS automatically.

For each finding give me the table name, the risk in one sentence, and the exact SQL to enable RLS and add a correct policy.

Lovable's own Supabase integration docs cover connecting the two; the RLS discipline above is the part that's on you.

The half you can check from outside

RLS lives in your database, but the headers, certificate, and cookies live on the public URL — testable in seconds without touching code:

free tool · no loginSecurity headers checkScan your Lovable app's live URL for the security headers an app builder leaves unset — clickjacking, sniffing, and downgrade protection. No login.

This is the Lovable-specific cut of a broader problem — the same class of gaps runs through every AI-built app, which we lay out in vibe coding security risks.

Lock it down today, then know if it changes.

The checks above secure your Lovable app now. Tell Me When Down watches it after — SSL that lapses, a URL that starts erroring, a site that goes down — free, no card, so a quiet change doesn't become a public one.

Watch my appfree · no card required
more on security for vibe-coded apps
How to secure a Supabase app: the five settings that matterA Supabase app can be wide open, almost always for the same handful of reasons: RLS off, the service_role key in the browser, public buckets, unguarded functions, secrets in the bundle. Here's the map to closing each one.Is my Supabase database public? RLS, and how to checkYour Supabase anon key is public by design — safe only if RLS is on with a real policy. Tables made outside the Table Editor ship with it off, and USING(true) is still open. Here's how to check if your data is public.My API key is showing on my website — is that bad?An API key visible in your frontend is a shrug or an emergency depending on which kind it is. Public keys (anon, pk_, Maps) are meant to be seen; secret keys are compromised the instant they ship. How to tell, and what to do.Is my app built with AI safe? A non-developer's checkYou built an app with AI, it works, and you're quietly worried it's not safe — but you can't read code. Here are the four plain-English questions that matter, and how to check each one without being a developer.Is Bolt.new secure? What the generated app leaves openBolt.new builds a working full-stack app fast — which is why the security gets skipped. The usual gaps: a Supabase database with RLS off, secrets in the bundle, UI-only authorization. Here's how to audit yours.Is v0 secure? Keeping a generated Next.js app's secrets inv0's Next.js output looks production-ready, which is the trap. NEXT_PUBLIC_ bakes a var into the bundle, and a secret in a client component ships to the browser. Here's how to check a v0 app keeps its secrets in.Vibe coding security risks: the checklist nobody runsThe appeal of vibe coding is that you don't read every line — which is exactly why the holes get through. Exposed secrets, a database anyone can read, rules enforced only in the UI, and how to close each one.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com