<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Romain Durieux</title>
    <description>The latest articles on DEV Community by Romain Durieux (@romain_durieux_f617a147f5).</description>
    <link>https://dev.to/romain_durieux_f617a147f5</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4019360%2Fffd378f4-9503-41d5-9ccb-550786ec0200.png</url>
      <title>DEV Community: Romain Durieux</title>
      <link>https://dev.to/romain_durieux_f617a147f5</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/romain_durieux_f617a147f5"/>
    <language>en</language>
    <item>
      <title>I scanned 15 public Lovable apps. 40% load their database in the browser.</title>
      <dc:creator>Romain Durieux</dc:creator>
      <pubDate>Sun, 12 Jul 2026 18:24:01 +0000</pubDate>
      <link>https://dev.to/romain_durieux_f617a147f5/i-scanned-15-public-lovable-apps-40-load-their-database-in-the-browser-3c2p</link>
      <guid>https://dev.to/romain_durieux_f617a147f5/i-scanned-15-public-lovable-apps-40-load-their-database-in-the-browser-3c2p</guid>
      <description>&lt;p&gt;No hacking — a passive scan only looks at what your browser already downloads when it opens a page. Here's what I found:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;6 of 15 load their Supabase database directly client-side. The public API key sits in the page source. That's fine if Row-Level Security is configured right — but it's one wrong setting away from "anyone can read the whole table."&lt;/li&gt;
&lt;li&gt;14 of 15 ship no Content-Security-Policy — a simple, high-value hardening against script injection, almost always missing.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Is this theoretical? No. Two apps I audited with the owner's permission:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;A social app: the profiles table — user names, cities, and a password hash — readable by a logged-out stranger. Closed in an afternoon.&lt;/li&gt;
&lt;li&gt;A paid learning app: 155 paid study sheets and 4,872 answers were readable by anyone, with no account and no subscription — its entire paid catalogue, a single API call away. The paywall lived only in the front-end; the database served everything to everyone.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Loading Supabase in the browser isn't the mistake. Not enforcing access in the database (RLS) is. And the tools you build with won't tell you — they'll happily ship it.&lt;/p&gt;

&lt;p&gt;If you built something on Lovable / Bolt / Replit with real users (or paying ones), it's worth 60 seconds to check what a stranger can already see. I made a free tool that runs the surface check (passive, no signup): sealdy.dev&lt;/p&gt;

&lt;p&gt;Happy to answer questions on how RLS leaks happen and how to lock them down.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>database</category>
      <category>security</category>
      <category>webdev</category>
    </item>
  </channel>
</rss>
