ScanVibeScanVibe
·7 min read·ScanVibe Team

I Scanned 50 Lovable Apps — Here's What I Found

lovablesecurity-reportdata

I Scanned 50 Lovable Apps — Here's What I Found

Lovable is one of the most popular AI coding platforms, with thousands of apps shipped every week. But how secure are they?

We decided to find out. We scanned 50 real Lovable apps currently live on the internet using ScanVibe's 8-point security analyzer. The results are... concerning.

Methodology

We collected 50 publicly accessible apps built with Lovable from:

Each app was scanned using ScanVibe's full security suite, which checks: SSL/TLS, security headers, exposed secrets, JavaScript libraries, exposed files, Supabase configuration, Firebase configuration, and authentication endpoints.

We only scanned publicly accessible URLs. No login credentials were used, and no data was modified.

The Results at a Glance

50 Apps scanned
38/100 Average score (Grade D)
84% Have critical issues
6% Grade A or B
68% Grade D or F
RLS Most common vuln
84% of Lovable apps we scanned have at least one critical security vulnerability

The 5 Most Common Vulnerabilities

Missing Supabase Row Level Security
39 out of 50 apps affected
78%
Missing Security Headers
37 out of 50 apps affected
74%
Exposed API Keys in Source Code
31 out of 50 apps affected
62%
Outdated JavaScript Libraries
28 out of 50 apps affected
56%
Weak Authentication Setup
22 out of 50 apps affected
44%

1. Missing Supabase Row Level Security — 78% of apps

This is the single biggest security issue in the Lovable ecosystem. 39 out of 50 apps had at least one Supabase table without RLS enabled.

Without RLS, anyone who knows your Supabase URL and anon key (which is in the client-side code by design) can read, modify, or delete all data in those tables. User data, payment information, private messages — all exposed.

Why it happens: Lovable generates Supabase tables to get your app working quickly. Enabling RLS requires writing PostgreSQL policies, which adds complexity that the AI typically skips.

2. Missing Security Headers — 74% of apps

37 apps were missing critical security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security.

Without these headers, apps are vulnerable to cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks.

Why it happens: Lovable deploys to Vercel or similar platforms that don't add security headers by default. The AI doesn't generate header configurations because they aren't needed for the app to "work."

3. Exposed API Keys in Source Code — 62% of apps

31 apps had at least one API key visible in the client-side JavaScript bundle. While Supabase anon keys are designed to be public (when RLS is enabled), we also found:

5 OpenAI API keys exposed
3 Stripe secret keys exposed
10 Other service keys exposed

These keys can be extracted in seconds using browser DevTools.

4. Outdated JavaScript Libraries — 56% of apps

28 apps used JavaScript packages with known security vulnerabilities (CVEs). The most common:

5. Weak Authentication Setup — 44% of apps

22 apps with authentication had issues:

Score Distribution

Here's how the 50 apps scored on our A-F scale:

Grade A
1 (2%)
Grade B
2 (4%)
Grade C
13
13 (26%)
Grade D
20
20 (40%)
Grade F
14
14 (28%)
The median score is 41/100 — a low D grade. Only 3 apps scored B or above.

The 3 Apps That Got It Right

Three apps stood out with good security practices. What did they have in common?

All 3 secure apps shared these traits:
1. RLS enabled on all Supabase tables with proper policies
2. Security headers configured in their deployment
3. No exposed secret keys in client-side code
4. Rate limiting on authentication endpoints
5. Developers had manually reviewed the AI-generated code

The takeaway: vibe-coded apps can be secure, but it requires intentional security work after generation.

What This Means for Lovable Users

If you've built an app with Lovable, chances are it has security issues. Here's what to do:

Immediate Actions (5 minutes)

  1. Scan your app with ScanVibe — it's free and takes 30 seconds
  2. Check your security grade and review the findings
  3. If you see "Missing RLS" — this is your #1 priority

Priority Fixes (30 minutes)

  1. Enable RLS on all Supabase tables — go to your Supabase dashboard, navigate to each table, and enable RLS
  2. Add security headers — create a vercel.json with security headers (see our fix instructions)
  3. Move secret keys to environment variables — never put secret keys in client-side code

Ongoing Protection

  1. Set up weekly security scans
  2. Re-scan after every major update
  3. Review AI-generated code for security patterns before deploying

A Note to the Lovable Team

We want to be clear: Lovable is an incredible product. It's democratizing software development and enabling people to build apps that were previously impossible without a development team.

But with great power comes great responsibility. We'd love to see:

We're reaching out to Lovable's team to discuss how we can help their users build more secure apps.

Scan Your Lovable App Now

Don't be one of the 84%. Scan your app for free with ScanVibe and find out your security grade in 30 seconds.

Your AI built it. We check if it's safe.

Methodology note: This study was conducted in March 2026. All apps were publicly accessible at the time of scanning. We did not attempt to exploit any vulnerability. Apps were selected based on public availability, not to target specific developers. Individual scan results were not published to protect app owners.

Related articles

Is Lovable Secure? A Deep Security Audit of Lovable-Built Apps

Is Lovable secure enough for production? We performed a detailed security audit of apps built with Lovable, covering API keys, Supabase RLS, HTTPS, headers, and more.

Scan your app now

Check your AI-built app for security vulnerabilities in seconds. Free, no signup required.

Start Scanning