Get your Lovable app reviewed before Supabase, RLS or secrets become a risk
Lovable builds your app in hours, and it works. Whether it is also production ready is decided at Supabase, RLS and secrets. Veriploy reviews exactly those points as a Lovable security audit, ranks what is genuinely critical, and then keeps repo, CVEs and infrastructure under ongoing technical oversight.
- Snapshot from 249 €
- Supabase, RLS and secrets in focus
- Repo + CVE + infrastructure
- German point of contact
Technical point of contact
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director
I review code, security and infrastructure and surface what is technically risky before launch, customer use or due diligence.
For questions like:
- Is this release ready for production?
- Which CVEs are really critical?
- Will the architecture carry the next users?
Lovable apps work fast, but production has its own rules
Lovable gets you to an app that runs in a demo in record time. That same speed skips decisions that only become a problem in front of real users. These are the gaps we see most often in Lovable apps:
- Login exists, but access to the data itself is not protected
- Supabase RLS disabled or set with overly permissive policies
- Keys in the frontend bundle that every visitor can read
- Server-side validation missing, the client is treated as trusted
- Edge Functions without auth checks or input validation
- Deployment without security headers, CORS rules and rate limits
- No monitoring, no logging and no backup plan
- Dependencies with known CVEs that nobody updates anymore
Supabase and RLS: login is not access protection
Lovable wires Supabase in as the backend, and login works straight away. That does not mean the data is protected. Authentication only answers who someone is. Authorisation answers what that person may see and change. In Supabase, that second layer lives in the Row Level Security policies, and during fast building they often go unset or incomplete.
If RLS is disabled, a logged-in user can query more through the openly reachable API than the interface shows. The table then returns rows that actually belong to other tenants. Policies that are enabled but too broad are a risk too: a rule that only checks whether someone is logged in does not separate one tenant from another.
We check whether RLS is enabled on all relevant tables, whether the per-user or per-tenant policies actually isolate, and whether any tables are accidentally reachable in the open. We rank every finding by severity so you can see what is genuinely production critical.
Secret handling: anon key, service_role key and third-party keys
Supabase has two keys with very different reach. The anon key belongs in the frontend on purpose and is only safe in combination with active RLS policies. The service_role key bypasses RLS entirely and must never reach the client. That exact mix-up happens during fast building, and then a key with full access sits in the bundle that every visitor can open.
On top of that come third-party keys: OpenAI keys for AI features, Stripe secrets for payments, tokens for email or storage. If these end up in the client or in the repository, someone can read them and use them on your bill. With payment and AI APIs that quickly turns into direct financial damage.
We look for keys in the frontend bundle, in the Git history and in the configuration, check whether the service_role key stays safely server-side, and show which calls should run through an Edge Function instead of directly from the browser.
Edge Functions and server-side validation
As soon as a Lovable app does more than display data, Supabase Edge Functions come into play: for payments, AI calls or actions that must not happen in the browser. But an Edge Function only protects you if it checks for itself who is calling and with what data. Otherwise it just moves the problem from the client to the server.
Typically the function does not re-check the caller's identity, passes input straight to the database or a third party without validation, or assumes only its own interface calls it. Anyone who knows the endpoint can call it directly, though. Server-side validation means the function distrusts every input, no matter where the call comes from.
We look at whether Edge Functions check auth correctly, validate input and use the service_role key only where needed, and whether critical actions are really decided server-side instead of in the browser.
Deployment: headers, CORS, rate limits, monitoring and backups
A working app is not yet an operable app. What sits between deploy and real operation is often missing entirely in Lovable projects. We review that operations layer with:
- Security headers such as Content-Security-Policy and HSTS set
- CORS rules kept tight instead of opened to all origins
- Rate limits on login, API and Edge Function endpoints
- Monitoring and logging so errors and attacks become visible
- Backups of the Supabase database with a tested recovery path
- Separation of environments so test and live data do not mix
What Lovable scans do and where Veriploy adds value
Lovable ships its own security checks, and those are a good start. A scanner finds plenty of findings: it flags a missing policy, an exposed key or an outdated dependency. What a scanner does not do is rank them, the way a manual Lovable code review does. It does not tell you which finding genuinely endangers you in front of real users and which one can wait.
That is exactly where Veriploy comes in. We take the findings, rank them by production criticality and translate them into a clear order: what must be fixed now, what matters before the next release and what stays uncritical. This human prioritisation does not replace the Lovable scan, it makes it usable.
And because Lovable apps change with every prompt, it does not stop at a one-off look. You get the app reviewed once (Snapshot or Baseline) and then keep repo, CVEs and infrastructure under ongoing technical oversight with Watch, Guard or Launch. That keeps the risk dashboard current instead of going stale with the next feature.
What a finding looks like
Supabase RLS for the invoices table is incomplete, users could see other tenants' invoices. Recommendation: enforce a policy per user_id.
Lovable scan or ongoing oversight by Veriploy?
| Lovable scan | Veriploy ongoing | |
|---|---|---|
| Result | List of findings with no order | Findings ranked by production criticality |
| RLS and secrets | Detected automatically where patterns match | Reviewed manually for real tenant isolation |
| CVEs and dependencies | State on the scan run | Ongoing monitoring with heads-ups |
| Infrastructure and operations | Only partly in view | Headers, CORS, rate limits, backups reviewed too |
| Before a release | Another scan needed | Human judgement included in the plan |
Frequently asked questions
Is this a penetration test?
No. Veriploy is an ongoing technical review of repo, security, CVEs and infrastructure, not a classic pentest. As a Lovable security audit we look especially at Supabase, RLS and secrets. A pentest can complement it when you want to simulate targeted attacks.
Do you also do the fixes?
Not within the plan. We review, prioritise and explain what needs to be done, for example how an RLS policy should look or how a key ends up safely server-side. Implementation runs separately through Wevelsiep Advisory or WZ-IT, or your own team. That keeps the review independent from the implementation.
Do you need repo access?
Yes, read-only by default. Read access to the repository and a look at the Supabase configuration are enough for the review. We do not need write access, because we do not commit the fixes ourselves.
Does this replace the Lovable security scan?
No, it complements it. The Lovable scan finds findings, which is a good start. Veriploy ranks which of them are production critical in front of real users and then keeps repo, CVEs and infrastructure under ongoing oversight. Scanner and human prioritisation work together.
What does it cost?
The entry point is fixed: Snapshot 249 € and Baseline 490 € as one-off reviews. Ongoing oversight starts at 299 € per month (Watch), then Guard at 749 € and Launch at 1.490 € per month. All prices are net plus VAT, plans cancellable monthly.
- Get your AI app reviewed, with ongoing technical oversight instead of a one-off gut check
- Get your Bolt app reviewed before architecture and auth become a problem
- Get your Supabase RLS reviewed before user data leaks through the wrong policies
- Vibe coding security audit, plus ongoing control as the code keeps growing
Get your Lovable app reviewed and keep it monitored afterwards.
Start with Snapshot or Baseline, then ongoing oversight in the plan that fits.