free · read-only · built for Lovable apps

Your Lovable app is probably leaking data right now.

Lovable ships a Supabase backend with every app. If Row Level Security isn't on, your tables are readable by anyone with the URL — no login required. Scan yours free.

https://

read-only · we fetch only what your visitors' browsers already download

What breaks on Lovable apps

Lovable is the fastest way to ship a real app — and the fastest way to ship an open database. Here's what breaks most, and exactly how we check for it.

Open Supabase tables (no RLS)

Lovable wires Supabase in for you, but Row Level Security is off until you turn it on. Without it, your profiles, orders, and messages tables are readable by anyone who opens your app and reads the anon key — which is public by design. This is the single most common Lovable leak.

The anon key isn't the problem — the open table is

People panic about the Supabase anon key sitting in the bundle. It's supposed to be there. The real hole is a table with no policy behind it. We tell the two apart, so you fix the thing that actually matters instead of chasing a false alarm.

A new prompt can re-open a closed hole

You enable RLS, then ask Lovable for a new feature and it adds a table without a policy. That's why a one-time scan is a snapshot — continuous monitoring catches the regression the next day.