DEV Community

Romain Durieux
Romain Durieux

Posted on

I scanned 15 public Lovable apps. 40% load their database in the browser.

No hacking — a passive scan only looks at what your browser already downloads when it opens a page. Here's what I found:

  • 6 of 15 load their Supabase database directly client-side. The public API key sits in the page source. That's fine if Row-Level Security is configured right — but it's one wrong setting away from "anyone can read the whole table."
  • 14 of 15 ship no Content-Security-Policy — a simple, high-value hardening against script injection, almost always missing.

Is this theoretical? No. Two apps I audited with the owner's permission:

  1. A social app: the profiles table — user names, cities, and a password hash — readable by a logged-out stranger. Closed in an afternoon.
  2. A paid learning app: 155 paid study sheets and 4,872 answers were readable by anyone, with no account and no subscription — its entire paid catalogue, a single API call away. The paywall lived only in the front-end; the database served everything to everyone.

Loading Supabase in the browser isn't the mistake. Not enforcing access in the database (RLS) is. And the tools you build with won't tell you — they'll happily ship it.

If you built something on Lovable / Bolt / Replit with real users (or paying ones), it's worth 60 seconds to check what a stranger can already see. I made a free tool that runs the surface check (passive, no signup): sealdy.dev

Happy to answer questions on how RLS leaks happen and how to lock them down.

Top comments (0)