How to test a Lovable app before your users do
Lovable builds a React front end on Supabase in minutes. That speed is the point — and it's also why the parts that keep users' data safe are the parts most likely to be missing. Here's the Lovable-specific check to run before you ship.
What Lovable actually gives you
A typical Lovable project is a client-side React app (built with Vite) talking directly to a Supabase project for auth, database, and storage. There's usually no server of your own in between — the browser holds a Supabase client and queries the database over the network. That architecture is clean and fast to build, but it moves the whole burden of "who's allowed to do what" onto Row Level Security (RLS) policies in the database. Get those wrong and every visitor can read every row.
So testing a Lovable app is less about your React components and more about the boundary between the browser and Supabase. These eight checks target exactly that.
The Lovable pre-launch checklist
1. Confirm Row Level Security is on for every table
Open your Supabase dashboard → Table Editor. Every table that holds user data must show RLS enabled, with a policy that scopes rows to auth.uid(). A table with RLS off, or a policy of USING (true), is world-readable. This is the single most common — and most serious — hole in a Lovable app.
2. Try to read another user's data
Sign up two accounts. As account A, create a record and note its ID. Sign in as account B and try to open that record — by pasting the ID into the URL, or by editing the request in dev tools. If B can see A's data, your RLS policies are missing or too broad. (This class of bug is called IDOR, and it's the one that leaks customer data.)
3. Understand your anon key before you panic about it
You'll find your Supabase URL and anon key sitting in the browser bundle. That's expected — the anon key is a publishable key. It is only dangerous when RLS is off. Do not spend time trying to hide it; spend that time on checks 1 and 2. What must never appear in the browser is the service_role key — search your bundle for service_role and, if it's there, rotate it immediately and move it server-side.
4. Make a stranger sign up
Open the app in a private window and register like a first-time user. Does the confirmation email arrive? Does the verify link work? Try an address with a + alias (you+test@gmail.com) — Supabase handles these fine, but custom validation Lovable wrote for you sometimes rejects them, quietly turning away real signups.
5. Feed every form hostile input
Paste a 2,000-character string, emoji, an apostrophe, and <img src=x onerror=alert(1)> into each field. Parameterized Supabase queries make SQL injection unlikely, but React will happily render unescaped HTML if your code uses dangerouslySetInnerHTML anywhere — that last payload should appear as literal text, never as an alert box.
6. Check the flows Lovable didn't wire up
Follow every button to its end: "Upgrade," "Save," "Delete." Lovable is good at generating screens and less reliable at connecting them, so a button that looks done can lead nowhere. Walk your checkout and account flows all the way through.
7. Use it on a phone
Shrink the window to 375px or open it on your phone. Lovable's default layouts are usually responsive, but custom components and modals often aren't — check nothing overflows and the keyboard doesn't cover the field you're typing in.
8. Can a user delete their account?
Sign up, then try to delete everything. GDPR's Right to Erasure requires it, and Supabase makes it easy to forget: deleting the auth.users row doesn't automatically delete the rows that user created in your other tables. Confirm a delete actually removes the data. (See our GDPR checklist.)
If you do only one thing: open your Supabase dashboard and confirm RLS is on, with a per-user policy, for every table. That one check closes the hole that leaks data.
The fast way: let something break it for you
Running all eight by hand every time you ship gets skipped in a busy week. Blinkof.ai does it for you: it signs up, probes for cross-tenant data leaks, reads your bundle for exposed keys, tries hostile input, walks your flows, and even attempts to delete its own account — then hands you a report where every finding comes with a paste-ready fix prompt written for Lovable's Supabase-and-React stack, not generic advice for some other framework.
It's this checklist, run in under a minute, by something that doesn't get bored or skip the RLS check.
See it on your Lovable app
Paste your URL and Blinkof.ai runs the whole check in under a minute — free.
Run a free blink test →