For detailed instructions about securing your applications built with Lovable, check our extensive guide on preparing your app for publishing and avoiding common issues.
API keys
Lovable writes frontend code, which means it runs in the browser. Therefore, no sensitive data of any kind should be stored in code. Instead, Lovable provides a secure secret storage functionality.Automatic API key detection
To connect to third party services, API keys or tokens are often needed. Whenever you paste an API key into the chat, Lovable will automatically detect it and warn you not to hardcode sensitive credentials directly into your frontend code. Instead of pasting API keys, describe what you’re trying to accomplish and Lovable will guide you through the secure implementation.
For example, instead of:
“Add this API key to call Service X: x_test_abc123…”
Try this:
“I want to integrate service X API to generate text responses”
Lovable will then show you how to:
- Store your API key securely in Secrets storage.
- Create an Edge Function to make the API call server-side.
- Call that Edge Function from your frontend code.
RLS (Role-Level Security)
RLS policies determine who can access what data in your database. We recommend you carefully review them before publishing your project, and keep revisiting and updating them as you develop the project.Security scanning
Before publishing, Lovable displays security warnings from the its advanced AI-powered security scanner and will ask you to confirm that you want to publish if there are any serious issues. We highly recommend you resolve all serious issues before publishing your projects and to keep your app’s data safe. Make sure to revisit the security review and perform a new round of it every time you change your app significantly.
Seeing no warnings or errors from the security scanner does not guarantee that there are no security issues in your app. We recommend you to perform a thorough review your app’s security using available tools before publishing, or hire a professional security consultant to perform the app audit in case your app deals with sensitive private data, provides critical functions, and a potential data breach can lead to serious consequences to real people.
Security View
The Security View displays findings from various sources: the database security advisor, in-depth AI review of your database schema and RLS (Row Level Security) policies, as well as an AI-powered security review of your code. This comprehensive approach ensures broader coverage of potential security issues. Findings are categorized by severity level:- Error: Critical security issues that should be addressed immediately. These include the “try to fix” option, though fixes are not guaranteed to resolve all cases.
- Warning: Important security concerns that should be reviewed and likely addressed.
- Info: General security recommendations and best practices for your consideration.
On-demand security review
You can request a security review at any time by asking Lovable to “review my app’s security” or a similarly worded request. Lovable will:- Analyze your entire codebase for security vulnerabilities.
- Check for common issues like XSS prevention, input sanitization, and authentication flaws.
- Review your RLS policies and database security.
- Provide a detailed report with specific recommendations.
Remember: Even with no warnings from the scanner, it’s always a good idea to periodically request a on-demand security review for production applications.