complyeah
Security scan · Lovable

Free security check for apps built with Lovable

Lovable makes it fast to ship a React + Supabase app - and just as fast to expose the wrong key or skip a guardrail. Run a free external check to catch the mistakes that are visible from the internet.

Free, no card. You verify you own the domain before anything runs.

Common Lovable security pitfalls we check

Supabase keys in the browser

The anon key is meant to be public, but the service_role key is not - and it's easy to paste the wrong one into client code. Our scan flags a service-role-shaped secret shipped to the front end.

Row Level Security left off

Without RLS, the public anon key can often read or write your whole database. We can't see your policies, but we do check for the exposed keys that make a missing policy dangerous.

Third-party API keys in the bundle

Stripe, OpenAI, and other secret keys hardcoded into the client are readable by anyone who opens dev tools.

Missing HTTPS hardening

No HSTS or clickjacking protection on your deployed domain.

The free scan covers the externally-visible issues above (exposed secrets, TLS, security headers, email-DNS). When a customer asks for SOC 2, the same account upgrades to the full $50 external pentest with an auditor-ready report.