I Scanned Random Lovable Projects for Security Flaws. Here's What I Found.

I picked random public repos from Lovable's GitHub organization and ran them through a security scanner. The first result stopped me cold. The Scan Project: A salon booking app built with Lovable. TypeScript, React, Firebase. Standard vibe-coded stack. Score: 28/100. Grade F. In 50 files, the scanner found: .env file committed to the repo. Database passwords, API keys, everything. Sitting in plain text in the git history. Even if you delete it now, it's in every previous commit. Firebase API key hardcoded in a public JavaScript file. public/firebase-messaging-sw.js had the key right there. Anyone who opens DevTools can copy it. No .gitignore for secrets. The project never told git to ignore .env files. Every deploy pushed secrets to GitHub. Firebase config exposed client-side without server validation. The app trusts whatever the client sends. No server-side check. Why This Matters This isn't a bad developer. This is what Lovable outputs by default when you prompt "build me a salon boo

I Scanned Random Lovable Projects for Security Flaws. Here's What I Found.

Related Articles

Pokémon Champions is coming to the Nintendo Switch on April 8th

Why You Should Start Using Negative If Statements in Your Code

Most Developers Build Software Wrong — Here’s What Actually Matters

DARVO in Text Messages: Real Examples and How to Spot It

How to Recognize Guilt-Tripping in Text Messages

Related Articles

How-To
Pokémon Champions is coming to the Nintendo Switch on April 8th
The Verge • 3h ago

How-To
Why You Should Start Using Negative If Statements in Your Code
Dev.to • 5h ago

How-To
Most Developers Build Software Wrong — Here’s What Actually Matters
Medium Programming • 6h ago

How-To
DARVO in Text Messages: Real Examples and How to Spot It
Dev.to Beginners • 6h ago

How-To
How to Recognize Guilt-Tripping in Text Messages
Dev.to Beginners • 6h ago