I Built an App with AI — Now What?

You had an idea. You opened Lovable (or Bolt, or Cursor, or Replit). You described what you wanted. And it built it.

It works. People are using it. Maybe you're even charging for it.

But in the back of your mind, there's a question you've been avoiding: is this thing actually secure?

This guide is for you. No jargon. No scare tactics. Just the stuff you actually need to do, in order of priority.

First: Don't Panic

Your app is probably not "catastrophically insecure." AI code generators have gotten much better at the basics. Most apps built with modern tools have:

• HTTPS enabled by default
• Basic authentication flows
• Reasonable frontend frameworks

The issues tend to be in the gaps — things the AI didn't think about because you didn't ask.

The 5-Minute Security Triage

Before you do anything else, check these three things. They take 5 minutes total.

1. Are There API Keys in Your Frontend Code?

Open your browser's DevTools. Go to Sources tab. Search for strings like sk_, key_, secret, password, or your Supabase service_role key.

If you find anything — that's a real problem. Anyone visiting your site can see those keys. But it's fixable:

• Move keys to environment variables on your hosting platform
• Use server-side API routes or Edge Functions for calls that need secrets
• Rotate any keys that were already exposed

2. Can Anonymous Users Access Your Database?

If you're using Supabase, check if Row Level Security (RLS) is enabled on your tables. Go to the Supabase Dashboard → Table Editor → Click each table.

If RLS is off, your anon key gives full read (and often write) access to that table. Yes, to anyone. Even without logging in.

Full Supabase security guide →

3. What Happens When You Enter <script>alert('hi')</script> in Your Forms?

Try it. If an alert box pops up, you have a Cross-Site Scripting (XSS) vulnerability. This means attackers can run arbitrary JavaScript in your users' browsers.

Most modern frameworks (React, Vue, Svelte) prevent this by default. But if you're using dangerouslySetInnerHTML, v-html, or {@html} anywhere, you might be vulnerable.

Level 2: The Weekend Fixes

These take a bit longer but are still straightforward:

4. Add Security Headers

Your app is probably missing security headers. Most hosting platforms don't add them by default. You need 6 headers, and they're just a config file.

Copy-paste header configs for Vercel, Netlify & Cloudflare →

5. Set Up Rate Limiting

Without rate limiting, someone can:

• Brute-force your login page
• Spam your forms
• Run up your API costs

If you're using Supabase Auth, it has built-in rate limiting. For your own API endpoints, add middleware. Most frameworks have libraries for this:

• Next.js: next-rate-limit or Vercel's built-in Edge Rate Limiting
• Express: express-rate-limit
• Edge Functions: Use a KV store to track request counts

6. Enable Logging

If something goes wrong, you need to know what happened. At minimum:

• Enable error logging (Sentry, LogRocket, or even Supabase's built-in logs)
• Log authentication events (sign-ups, logins, password resets)
• Track API usage patterns

Level 3: When You Get Your First Paying Customer

Congratulations — someone trusts you with their data. Now you have a responsibility. And probably a deadline, because they might have asked:

7. "Is Your App Secure?"

This question will come. Enterprise customers, partners, and anyone handling sensitive data will ask.

Your options:

• Quick answer: Run a Proveably scan and share the results. If your score is decent, that's often enough for early-stage conversations.
• Better answer: Get a Proveably Security Badge — a public, verifiable proof that your app passes ongoing security scans.
• Enterprise answer: Start working toward SOC 2 or ISO 27001. Proveably can map your existing scan results to compliance frameworks, so you're not starting from zero.

8. Review Your Authentication Flow

AI-generated auth flows often have subtle issues:

• Password reset tokens that don't expire
• Session tokens stored in localStorage (vulnerable to XSS)
• Missing httpOnly flag on cookies
• No multi-factor authentication option

If you're using Supabase Auth or Clerk, most of this is handled for you. If you rolled your own auth... consider switching to a managed provider.

9. Check Your Dependencies

Your app has dozens (maybe hundreds) of npm packages. Some of them have known vulnerabilities.

Run npm audit in your project directory. Fix anything marked "high" or "critical."

What NOT to Worry About (Yet)

You don't need to:

• Hire a security consultant (a scan tool handles 90% of what they'd find)
• Get SOC 2 certified (not until you're targeting enterprise customers)
• Rewrite your app (the issues are almost always config changes, not code changes)
• Learn cryptography (use proven libraries and managed services)

The Easiest Next Step

Stop guessing. Scan your app.

Proveably runs 20+ security tools against your app in 30 seconds. You'll get a score, a list of issues, and AI-generated fix suggestions — written in plain English, with code examples for your specific stack.

Most apps go from "I have no idea" to "I know exactly what to fix" in under a minute.

Scan my app free →

Related reading:

• Is My Lovable App Secure? A Security Checklist
• Vibe Coding Security: What AI Gets Wrong
• How to Secure a Supabase App
• The Security Badge: Show Customers Your App is Safe