Most AI-built apps that use Supabase get the features right and the data rules wrong. Because the anon key is public, a single table without Row Level Security exposes your whole database. This is the most common critical finding we see.
Supabase ships the anon key to the browser on purpose. Security does not come from hiding the key; it comes from Row Level Security policies on the database. AI tools often skip or loosen those policies, so the public key becomes full access.
A table with RLS disabled, or a policy that returns all rows, lets anyone with the anon key read and write every record. Customer emails, internal tasks, and other tenants' data become available to anyone who opens the network tab.
The app demos perfectly because the queries run. The failure is invisible until someone changes a user ID in a request, which is why missing RLS survives until a real review or a real breach.
Check each item against the live database, not just the migration files.
RLS is one finding inside a full review. See the broader AI-built app security checklist for the rest.
RLS in the context of Lovable-built apps and edge functions.
The full set of security failures beyond the database.
An anonymized report showing an RLS finding written up.