r/lovable

I run a security auditing service and last week I scanned a total of 8 Lovable built apps, since I noticed that with the Lovable platform specifically that its vulnerabilities always seemed to be structured in the same exact way across different apps. Furthermore, many of these products had actual user bases and live billing mechanisms in place, and thus the data that these apps were handling were particularly important.

That out of the way, these are 5 of the most common findings that I came across among almost all of the Lovable built applications that i have audited thus far:

1. 8/8 apps had at least one HIGH severity finding; though, typically within a short 10-15 minute window, I was able to source multiple (even within some of the better built products, same idea). Many of these findings were able to be sourced with fairly rudimentary tooling. For instance, almost all of the apps I scanned seemed to have secrets of all kinds baked right into the front end; accessible through DevTools alone. Things ranging from JWTs, API keys, etc etc. However, it gets worse:

2. 7/8 apps had a hardcoded supabase token sitting in the front in JS bundle sitting in plain sight. This being the code that your browser actually downloads first before loading your app, what this means is that anyone can open devtools on their local machine, and search for this directly within the sources tab with next to no effort. This key, plus an unprotected database means that anybody online can utilize this to grant themselves direct read/write access to your data without even being logged in.

3. 7/8 apps had no rate limiting mechanisms configured on login. What this means is that there is absolutely nothing stopping someone from attemptions thousands of password guesses on any account that they choose. Configuring an automation tool to cycle through common password lists to target specific users is simple, and what this means is that anyone can access any account they desire by running said scripts overnight. So thus, rendering user passwords completely useless as safeguarding mechanisms. Furthermore, on these same apps there was a complete absence of other such mitigation methods (ie: CAPTCHA trigger, account lockout/slowdown mechanisms), so this confirms that anybody can log in wherever they choose to on these sites completely under the radar.

4. 6/8 apps had their session tokens stored directly in localStorage. Essentially, when one logs into a session, the application receives a distinct user token that seeks to prove who you are. This token being stored in localStorage, what this means is that any malicious script running on the page (ie: a compromised dependency, ad, or pretty much anything at all) can both read the token and send it off to any destination an attacker chooses. Thus, in the attacker's case they are now the owner of this token and can use it to log into any site user they chose to for as long as the token's shelf life permits.

5. 5/8 were missing basic security headers entirely. In summary, security headers exist as sets of instructions that your server sends directly to your browser to tell it how it should behave with your information; so things like “block this content type”, "don't load resources from unknown domains”, “don’t allow this page to be embedded in iframe”, these act as parameters that need to be established to ensure your application is not exposed to certain exploits that it doesn't have to be. Without the presence of proper headers, this means that your app has no guardrails in place to prevent specific types of exploits; namely, clickjacking, cross site scripting, and MIME sniffing attacks become far easier to execute.

On the hardcoded key issue present in all scanned applications, this is a direct output structure produced by lovable apps specifically, since this is a known template default on the platform. For most founders, they are completely unaware that it is exposed like this to begin with.

As well, a few additional things that I found interesting:

• One financial app handling personal banking data, business accounts, and bill payments had its Supabase key in the bundle with no rate limiting, and all table names leaking in the network tab. Being a fintech product, this is a fairly significant finding that leaves critical information readily exposed.

• One platform advertising "enterprise security” and “end-to-end data protection" on its landing page had four high severity findings including email enumeration via a purpose-built endpoint and session tokens fully exposed client-side.

• One B2B SaaS had 15 unauthenticated API endpoints. I wrote to their production database twice during the audit with zero authentication.

With all of these findings, none of the founders I have worked with even knew that these issues were present in their builds to begin with. If you've shipped with Lovable and haven't had anyone look it over, it is reasonable to assume that at least one of these applies to you.

Stay safe out there!

I'm a backend engineer, been shipping production apps for 9 years. The last 8 months ive been auditing Lovable builds for friends, freelance clients, and a few small startup teams. 50+ apps now, ranging from one-pager landers to full-stack SaaS with 1000+ users. The speed is wild. Stuff that used to take me a sprint takes Lovable an afternoon. But theres a pattern i keep seeing: vibe coded apps work great with 5 users, then something starts breaking around user 50, and by user 500 the founder is in panic mode in my DMs. Here are the 6 things that almost always break. Plain English, paste-ready fixes.

The ""Auth Emails Vanish"" Problem

The Vibe: You ship signup. People sign up. It works on your machine. The Reality: Supabase Auth uses its default SMTP for outbound. Default SMTP has terrible deliverability. Half your auth emails go to spam, the other half land in promotions tab. The Trap: Users sign up, never verify, never come back. Your ""1000 signups"" is actually 400 verified users and you have no idea because you arent tracking deliverability. The Fix: Configure custom SMTP with proper SPF / DKIM / DMARC records before launch. In Supabase: Auth → SMTP Settings → use Resend or Postmark with verified domain. Set up DMARC at p=quarantine minimum. Test with mail-tester.com before going live. Some of my clients have started routing auth emails through dreamlit instead which handles deliverability and branding in one step, but custom SMTP works fine too if you just need the basics.

The ""Public RLS"" Catastrophe

The Vibe: Lovable says your tables have RLS enabled. Security Scan is green. The Reality: RLS being ""enabled"" means nothing if your policies are wrong. Lovable's Security Scan checks if RLS exists, not if it's restrictive. Default-generated policies are often true for everything. The Trap: Anyone who finds your supabase URL can read your entire database. Your users data, payment info, everything. Theres a researcher who audited 50 Lovable apps and found 89% of them had this exact issue. The Fix: Open Supabase studio → Authentication → Policies for every table. Each policy should reference auth.uid() matched against an owner column. Run this query to find all your tables with permissive policies: SELECT tablename, policyname, qual FROM pg_policies WHERE schemaname = 'public'; and review every row by hand.

The ""Stripe Webhook Wide Open"" Mistake

The Vibe: Lovable wired up Stripe checkout. Users can pay. Money is moving. The Reality: The webhook endpoint that updates user subscriptions probably isnt verifying the Stripe signature. The agent often skips this step unless explicitly asked. The Trap: Anyone can POST a fake webhook to your endpoint and upgrade themselves to a paid plan for free. Or worse, downgrade everyone elses subscriptions. The Fix: In your edge function or webhook handler, verify the signature using stripe.webhooks.constructEvent(rawBody, signature, webhookSecret). The webhook secret is in your Stripe dashboard under Developers → Webhooks → Signing secret. Never log it. Store it as a Supabase secret, not in your code.

The ""Context Rot Cascade""

The Vibe: Youre 4 months in. The agent has been your pair programmer the whole time. The Reality: After enough back-and-forth, the agent loses track of what your app actually does. It starts ""fixing"" things by breaking working features. The Trap: One day you ask for a small change, the agent rewrites your auth flow, breaks 3 unrelated things, and you spend 2 days debugging. The Fix: Three habits. One, commit to GitHub before every agent run. Two, use Chat Mode to plan before Agent Mode executes (Chat Mode is 1 credit, doesnt write code). Three, when the app gets to about 80 components, start scoping prompts to specific files: ""only modify components/Pricing.tsx, dont touch anything else.""

The ""Free Tier Abuse"" Drain

The Vibe: Your app uses OpenAI / Anthropic / some AI API. Free tier was generous. Costs were predictable. The Reality: You didnt add rate limiting. The agent gave you a frontend ""Generate"" button connected to an edge function that hits OpenAI directly. The Trap: One Twitter mention, one Reddit post, one bot scraping your site, and youll wake up to a $400 OpenAI bill from a few hours of someone hitting your endpoint in a loop. The Fix: Rate limit at the edge function level. Use Upstash Redis or Supabase's built-in rate limiting. Limit free users to 5 requests per minute, paid users to 30. Set a hard daily cap. Set spending limits on your OpenAI account in their dashboard. This isnt optional, this will happen.

The ""Onboarding Drip Doesnt Exist"" Gap

The Vibe: Users sign up. Your job is done. They'll figure it out. The Reality: Activation rate for vibe coded apps without an onboarding email sequence hovers around 12-18%. With even a basic 3-email sequence, that jumps to 35-50%. The Trap: You spent 3 months building. Got 200 signups from a launch post. Two weeks later, only 24 of them ever returned to the app. You assume the product is bad. The product might be fine. The retention loop is missing. The Fix: At minimum: Day 0 welcome email, Day 2 ""have you tried [main feature]"" email, Day 7 ""heres what other users are doing"" email. These can be templated. Tools that handle this from your Supabase database directly without you writing edge functions for each one: dreamlit (connects to your postgres db, you describe workflows in plain english), Loops, or Resend with custom edge functions if you want more control. Pick one. Set it up before launch, not after. The clients i've seen do this before their first user consistently have 3-4x the activation rate of the ones who ""plan to add email later."" Most of these took clients of mine multiple painful weeks to figure out. The fixes themselves are usually a few hours of work. The lesson is: vibe coding solves the building problem. It does not solve the ""running a real product"" problem. Thats still on you. curious which one of these has bit yall the worst. and if theres a 7th i should add to the list.