Step-by-Step Guide
7 steps

How to Deploy Lovable Apps Securely

Before deploying your Lovable app to production, you need a security checklist. This guide covers every pre-launch security task: RLS verification, secret management, security headers, and post-deployment scanning.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Verify RLS is enabled on all Supabase tables

Run a query to confirm every table has Row Level Security enabled.

Code Example
SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public' AND rowsecurity = false;

This query should return zero rows. Any table listed needs RLS enabled immediately.

2

Review all RLS policies

Check that policies are properly restrictive and scoped to authenticated users.

Code Example
SELECT schemaname, tablename, policyname, permissive, roles, cmd, qual
FROM pg_policies
WHERE schemaname = 'public'
ORDER BY tablename, cmd;
3

Confirm no secret keys are in frontend code

Search the deployed JavaScript bundle for exposed secrets.

Code Example
# Check the built output
grep -rn "sk-proj\|sk-live\|service_role" .next/ dist/ build/ out/ 2>/dev/null
4

Configure security headers on your hosting platform

Add headers for XSS protection, clickjacking prevention, and transport security.

Code Example
// vercel.json (if deploying to Vercel)
{
  "headers": [{
    "source": "/(.*)",
    "headers": [
      { "key": "X-Content-Type-Options", "value": "nosniff" },
      { "key": "X-Frame-Options", "value": "DENY" },
      { "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
      { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }
    ]
  }]
}
5

Enable Supabase email verification

In Supabase dashboard > Authentication > Settings, enable "Confirm email" to prevent fake signups.

6

Set up error monitoring

Add error tracking so you know about issues in production.

Code Example
// Using Sentry (example)
import * as Sentry from '@sentry/nextjs'

Sentry.init({
  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
  tracesSampleRate: 0.1,
  environment: process.env.NODE_ENV
})
7

Run a pre-launch security scan

Scan your staging deployment with VAS before making it public.

Fix all critical and high severity findings before launch. Medium findings can be addressed post-launch.

What You'll Achieve

Your Lovable app is deployed with RLS enforced, secrets secured, security headers configured, email verification enabled, and error monitoring active. A security scan has verified the deployment is production-ready.

Common Mistakes to Avoid

Mistake

Deploying without checking RLS status

Fix

Run the RLS audit query before every deployment. New tables from recent changes may not have RLS enabled.

Mistake

Using the Supabase service_role key in production frontend

Fix

The frontend must only use the anon key. Move any service_role operations to Edge Functions.

Frequently Asked Questions

What should I check before every Lovable deployment?

Verify RLS is enabled on all tables, no secret keys are in frontend code, security headers are configured, and email verification is enabled. Run a VAS scan on staging before promoting to production.

Can I deploy Lovable apps to any hosting platform?

Lovable apps are typically React SPAs that can deploy to Vercel, Netlify, or any static hosting. The Supabase backend is separate and does not need to be re-deployed with the frontend.

Related Guides

Secure Your Lovable AppAdd RLS to LovableSecurity Audit ChecklistImplement HTTPS Correctly

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan