Blog

Security research, case studies, and guides for AI-built apps.

ResearchMarch 2026

We checked 50 Lovable apps' Supabase RLS. 43 were vulnerable.

Most apps had RLS 'enabled' but used USING(true) — which grants full public access. Here's what we found and how to fix it.

Read more →
GuideMarch 2026

Your Supabase RLS says 'enabled'. Here's why it's still open.

USING(true) is the most common RLS policy mistake in vibe-coded apps. We explain the difference between RLS enabled and RLS secured.

Read more →
Case StudyMarch 2026

$12,000 in 8 hours: what happens when your OpenAI key leaks

A real case study of an AI key leaked in client-side JavaScript. How much it cost, how fast it was exploited, and how to prevent it.

Read more →
AnalysisMarch 2026

The 5 security checks Lovable's built-in scanner doesn't do

Lovable checks headers and basic config. But it can't connect to your Supabase to validate RLS policy logic. Here's what's missing.

Read more →
ResearchMarch 2026

allow read, write: if true — the Firebase rules epidemic

We analyzed 100 Firebase projects from GitHub. 67% had completely open Firestore rules. Here's the one-line fix.

Read more →