Security · 2h ago
40% of Lovable apps expose database in browser
A passive scan of 15 public Lovable-built apps found 6 load their Supabase database client-side with public API keys, risking data exposure if Row-Level Security is misconfigured. Two audited apps leaked user data and paid content: one exposed password hashes, another gave away its entire paid catalogue without authentication. The author created a free tool, sealdy.dev, to help developers check for such leaks.
Meridian48 take
The findings underscore a common pitfall in low-code platforms: convenience can mask critical security gaps, and developers must verify backend access controls rather than trusting the tool.
Read the full reporting
I scanned 15 public Lovable apps. 40% load their database in the browser. →
DEV Community
lovablesupabase