« All posts

I Scanned 15 Public Lovable Apps

A scan of 15 Lovable apps reveals security risks, including public database access and lack of Content-Security-Policy.

I conducted a passive scan of 15 applications to see what data is loaded by the browser. Six of these apps load their Supabase database client-side, which can lead to significant security risks if not configured properly. Additionally, 14 out of 15 apps lack a Content-Security-Policy, a crucial defense against script injection. One app exposed user data publicly, while another made its entire paid content accessible without a subscription.