2 KiB
| tags | |||
|---|---|---|---|
|
Here are some tips that i follow and might help people reading:
- Lockdown your backend (Supabase policies can help):
Most vibe-coded apps using Supabase or Firebase leave their backend wide open. Anyone who knows your endpoint URL can potentially view or modify sensitive data, like user accounts, subscriptions, or even payment info.
What to do: Don’t rely on default settings. Go into your Supabase project, open the Auth Policies, and restrict everything. By default, deny all access, and only allow specific users to access their own data.
Why: Even if your frontend looks secure, if your backend allows anyone to hit the database directly, you’re not just vulnerable, you’re exposed.
Resource: Supabase RLS Docs
- Don’t trust the frontend and always validate requests:
Tools like Lovable or Bolt often generate frontend-heavy apps, where important actions (like account upgrades or profile edits) happen purely in the UI, with little to no checks behind the scenes.
What to do: Always assume that anyone can inspect, modify, and resend requests. Validate every request on the backend: check if the user is logged in, if they have the right role, and if they’re even allowed to touch that data.
Why: Frontend code can be faked, replayed, or manipulated. Without real backend validation, a malicious user can do far more than just "test" your app, they can break it.
-
Never expose your secrets, keep keys truly private (Haven't seen it happening in case of Lovable at least):
Accidently exposing env files is common, keeping a tight file security if you're deploying it on your own server. -
You can ask your favourite AI vibe-coding tools to generate a security audit tasklist based on your project and follow the tasklist and fix all until finished. That should solve most of the issues.