Security Issues

Lovable generates React components that frequently use dangerouslySetInnerHTML for rich text without sanitization. How to detect the pattern, install DOMPurify, and swap to react-markdown.

The Supabase anon key is public by design; the service_role key is not. How service_role ends up in Lovable frontends, plus OpenAI/Stripe key leakage through direct API calls from the browser.

The exact vulnerability that exposed 170+ Lovable apps: Supabase tables without Row Level Security queryable via the public anon key. Detection via anon-key probe, enablement via ALTER TABLE.

Lovable-generated auth flows check the logged-in state in React components but leave Supabase API endpoints unprotected. Attackers skip the UI and hit the API directly — here is how to close it.

Bolt.new generates React quickly but skips output sanitization for user-generated content. Common injection surfaces in Bolt output and per-component fixes using DOMPurify or react-markdown.

Bolt.new frequently places API keys directly in generated files. How to find them (sk-, AKIA, AIzaSy patterns in JS bundles), rotate immediately, and migrate to server-side routes.

Bolt's AI creates Supabase tables for the schema to work but rarely writes RLS policies. Detection SQL (pg_tables rowsecurity), enablement with ownership-check policies scoped to auth.uid().

Bolt.new generates professional-looking auth UIs that enforce access only at the render layer. The backend routes remain open. How to detect and fix the frontend-only auth pattern.

Windsurf Cascade generates rich text rendering and URL parameter handling without sanitization. Specific Cascade output patterns to audit plus per-vulnerability remediation code.

Cascade generates code that often calls third-party APIs directly from the browser with embedded keys. Enable Zero Data Retention, scan bundles for sk-/AIza patterns, and migrate to server routes.

Windsurf-generated apps rarely include security headers in the initial scaffolding. How to add CSP, HSTS, and X-Frame-Options to Windsurf-built apps depending on the host (Vercel, Netlify, Railway).

Windsurf's Cascade generates polished role-based UI rendering that is bypassable by calling backend APIs directly. How to audit Cascade-generated auth and force authorization server-side.

Replit-generated apps often render user input with template strings and innerHTML, bypassing framework auto-escaping. How to audit generated code for XSS patterns and apply layered fixes.

Public repls with .env files or hardcoded keys are indexable by automated scanners. Use Replit Secrets, make the repl private, rotate leaked keys, and purge from git/shell history.

Replit's reverse proxy may strip or not add security headers. Configure them in your server framework (Express helmet, Flask-Talisman, etc.) and verify they reach the client via curl.

Replit apps often use session storage patterns that break under the platform's shared execution model. Common gaps: session fixation, predictable session IDs, and insecure cookie flags.

Firestore ships with test-mode rules (30-day world read/write). Thousands of Firebase apps ship to production with test-mode rules intact. Emulator testing and ownership-check rule templates.

Firebase client config (apiKey, projectId) is public by design — Security Rules enforce access. Admin SDK credentials must never reach the browser. How to tell them apart and contain leaks.

Firebase auth breaks when server code trusts unverified client tokens, Security Rules skip auth.uid checks, or custom claims fall out of sync. Per-layer hardening with Admin SDK verifyIdToken.

Firebase Hosting serves static+JS apps that often fetch Firestore docs and render them without sanitization. How stored XSS flows from unsanitized document writes through to victim browsers.

Supabase's #1 misconfiguration. Why it is dangerous (anon key public by design), how to detect (pg_tables check + anon-key API probe), and policy templates for common access patterns.

The service_role key bypasses all RLS. If it ever touches a client bundle, rotate it immediately — RLS alone cannot protect you. How to audit every place the service_role might leak.

Supabase Auth handles authentication robustly but developers conflate it with authorization. Being logged in does not mean a user should access everything — where the gap lives and how to close it.

v0-generated components sometimes render props or API data through dangerouslySetInnerHTML or javascript: URLs. How to audit generated components pre-deploy and enforce sanitization.

v0 generates client-side React components that often fetch directly with embedded keys. Rotate immediately, create Next.js Route Handlers for external API calls, and scope env vars properly.

v0-generated apps deploy without security headers by default. Configure headers in next.config.js headers() function or vercel.json — per-header recommendations for v0 + Vercel stacks.

NEXT_PUBLIC_ env vars are inlined into the frontend bundle — one typo exposes a secret. Preview deployments may carry production env vars. How to audit and scope correctly.

Vercel adds some security headers by default (HSTS) but misses others (CSP, X-Frame-Options). Configure in vercel.json headers array or Next.js headers() function with nonce-based CSP patterns.

Next.js API routes and Vercel functions commonly set wildcard CORS to silence dev errors. The wildcard persists to production. How to allowlist origins correctly for credentialed requests.

netlify.toml is committed to git — any secret there is public. How to scan build logs for leaks, migrate secrets to Netlify UI environment variables, and scope Functions env correctly.

Netlify does not add security headers automatically. How to configure CSP, HSTS, X-Frame-Options via _headers file with per-directory overrides, plus nonce-based CSP for modern frameworks.

Netlify Functions and _headers config frequently use Access-Control-Allow-Origin: * to resolve dev errors — which allows any site to call your API. Per-origin allowlist patterns with credentials.

Cursor's auto-completion may suggest dangerouslySetInnerHTML, raw innerHTML assignments, and unescaped template strings. How to audit Cursor-generated files and wire up a pre-commit XSS scan.

Cursor workflows encourage pasting API keys for quick testing — and those keys often get committed to git and bundled into production. Bundle-scan audit steps and rotation-order guidance.

Railway's shared variable groups can leak keys across services, and deploy logs retain env snapshots. Audit every service, restructure variable groups, and rotate anything that crossed boundaries.

Railway handles TLS but leaves security headers to the application. Configure headers in your framework (Express helmet, Next.js config, etc.) — Railway does not inject them at the edge.