Skip to main content
AphidoAphido
← All guides

Lovable Security Guide

Complete security checklist for every Lovable.dev project.

The Problem

Lovable.dev generates Supabase-powered apps with beautiful UIs — but often without Row Level Security (RLS) policies. This means anyone who finds your Supabase URL (which is in your frontend code) can read and write ALL your data.

Security Checklist

1. Enable RLS on every table

ALTER TABLE public.your_table ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.your_table FORCE ROW LEVEL SECURITY;

2. Add restrictive policies

CREATE POLICY "Users can only read own data"
  ON public.your_table FOR SELECT
  USING (auth.uid() = user_id);

3. Check auth configuration

  • Disable enable_signup if your app is invite-only
  • Never enable autoconfirm in production
  • Set proper redirect URLs in Supabase dashboard

4. Secure storage buckets

  • Set buckets to private by default
  • Add RLS policies to storage.objects
  • Use signed URLs for file access

5. Scan with Aphido

The fastest way to find all these issues is to scan your app with Aphido. It takes 60 seconds and checks everything on this list automatically.