SShortSingh.
Back to feed

Audit Finds 40% of Public Lovable Apps Expose Databases Due to Missing Security Rules

0
·1 views

A passive browser-based scan of 15 publicly deployed Lovable apps found that 6 of them load their Supabase database directly on the client side, exposing API keys in page source code. While this setup is not inherently unsafe, it becomes a serious vulnerability when Row-Level Security (RLS) is not properly configured. In two apps audited with owner permission, sensitive data — including user password hashes and an entire paid course catalogue of over 5,000 items — was freely accessible to unauthenticated users. Additionally, 14 of the 15 apps shipped with no Content-Security-Policy header, leaving them open to script injection attacks. The findings highlight a broader risk for apps built on no-code platforms like Lovable, Bolt, and Replit, where database access controls may be overlooked during development.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Dev Builds Three.js 3D Product Configurator for WooCommerce, Shares Key Lessons

A developer built Noorifa, a WooCommerce plugin that replaces static product photos with an interactive Three.js 3D viewer, allowing customers to rotate models, zoom, and switch colors synced to store variations. The project revealed that 3D rendering was only 20% of the work, with the remaining 80% involving unexpected technical challenges. One key issue was that a single overhead light left downward-facing surfaces completely dark, which was fixed by adopting a multi-light studio setup including a dedicated under-light. Unbounded zoom controls were also a problem, solved by scaling the zoom range dynamically against each model's bounding box radius rather than using fixed values. The developer also publicly corrected a prior claim about WordPress.org prohibiting WebAssembly binaries, noting no such explicit rule exists.

0
ProgrammingDEV Community ·

Developer Builds Tool That Turns GitHub Commit History Into a Narrative Card

A developer has launched Commit Chronicles, a web tool that analyzes a public GitHub repository's commit history and generates a shareable story card. The system uses Snowflake to fetch commit data and apply six SQL-based storyline detectors to identify which narrative pattern exists in the repository, without any AI involvement at that stage. A single Cortex AI call then narrates the detected story thread using 20 to 140 commit lines, while Cloud Run renders the output as a 1200×630 PNG suitable for README embeds. The tool enforces strict rules to prevent the AI from inventing facts, ensuring every timestamp, commit count, and quoted message on the card is drawn directly from real repository data. Repositories with insufficient history receive a plain grey card, and the AI is never invoked for them.

0
ProgrammingDEV Community ·

How Platform Teams Can Multiply Value Instead of Adding Bureaucracy

A software engineer with experience on multiple platform teams outlines what separates effective platform teams from ineffective ones. The core principle is that a platform team should act as a force multiplier, meaning any work it produces should benefit all teams it supports rather than serving only a subset. Reducing cognitive load for development teams is highlighted as a primary responsibility, allowing those teams to focus on business requirements instead of infrastructure concerns. The author emphasizes the importance of community building, encouraging platform teams to collaborate with innovators and early adopters rather than gatekeeping solutions. New platform teams are also cautioned to respect existing workflows, as disrupting processes that already work can create friction and resistance across the organization.

0
ProgrammingDEV Community ·

Claude Code Uses 4.7x More Tokens Than OpenCode Before You Type a Word

A benchmark by Systima found that Claude Code sends approximately 33,000 tokens of system prompts, tool schemas, and scaffolding per session before any user input, compared to roughly 7,000 tokens for OpenCode under identical test conditions. The study used a logging proxy to capture exact API request payloads, with both tools pointed at the same model and run in clean, empty environments. Claude Code also re-wrote up to 54 times more prompt-cache tokens per session than OpenCode, and since cache writes are billed at a premium, costs can climb significantly. However, the benchmark noted one advantage for Claude Code: on multi-step tasks, it batches tool calls into fewer requests, which can result in a lower total token count compared to OpenCode's turn-by-turn approach. The researchers emphasize that session structure — not just baseline overhead — ultimately determines which tool costs more in real-world use.

Audit Finds 40% of Public Lovable Apps Expose Databases Due to Missing Security Rules · ShortSingh