Lovable produces a working full-stack app fast, usually on Supabase. The security model lags behind the features. This review focuses on where Lovable apps fail: Supabase Row Level Security, client-side keys, route protection, and edge functions.
Lovable apps run on Supabase, and the most common critical finding is RLS that is disabled or too permissive. When RLS is missing, the public anon key lets anyone read and write every table, so customer data is effectively open.
Lovable ships the Supabase anon key in the browser, which is by design. It is safe only if Row Level Security is enabled and scoped to the authenticated user on every table. The public key plus missing RLS is the failure pattern.
Hiding an admin route in the UI is not protection. Confirm routes check the session server-side and that Supabase edge functions validate the user instead of trusting a client-provided user or org ID.
The same readiness questions as any AI-built app, tuned for the Lovable and Supabase stack.
For the deepest single failure mode, see the focused Supabase RLS review for AI apps.
An anonymized review report for a Lovable-built B2B SaaS app.
How to verify Row Level Security on every table.
The broader set of security failures across AI-built apps.