Scanned my Lovable app for security issues - here's what I found
Been building with Lovable for a while and got paranoid about security before onboarding paying users.
Ran my app through a security scanner and found:
- Supabase anon key visible in page source
- Missing security headers (X-Frame-Options, CSP)
- CORS set to wildcard (*)
- Admin routes publicly accessible
None of these were obvious from inside Lovable. The app worked perfectly, It just had holes. Fixed all of them using Claude Code prompts. Took about 20 minutes total.
Has anyone else audited their Lovable app before launch? What did you find?
u/Direct_Classic2484 — 10 days ago