Security score
https://demo-app.example
What it covers
What it cannot prove
Supabase Row Level Security: Disabled
Anyone can read or modify user data from your database without logging in.
Your tasks and profiles tables responded to an unauthenticated database query. Anyone on the internet who knows your Supabase URL and publishable key — both are visible in your app's JavaScript — can read every row in these tables without logging in. This is the same vulnerability that exposed databases in 170+ Lovable apps in June 2025 (CVE-2025-48757). It affects apps where Supabase Row Level Security (RLS) is disabled or not configured.
Fix prompt
My Supabase database has Row Level Security (RLS) disabled. The data is publicly readable without authentication. I need to: 1. Enable RLS on all tables with user data 2. Create policies restricting access using auth.uid() 3. Verify the fix by testing unauthenticated queries return 401
Sensitive Endpoint Accessible Without Login
User data can be fetched directly from a public API route.
Your /api/users endpoint returned a JSON array of user records when accessed without any authentication token. Anyone can call this URL directly and receive all user data.
Fix prompt
My /api/users endpoint is publicly accessible without authentication. Please add a server-side auth check using my existing auth system. The endpoint should return HTTP 401 if no valid session is present.
Missing HTTPS Strict Transport Security Header
Browsers are not being told to force secure HTTPS connections.
Your app is not sending an HTTP Strict Transport Security (HSTS) header. This means browsers won't force HTTPS connections, leaving users vulnerable to downgrade attacks on public Wi-Fi.
Fix prompt
My app is missing a Strict-Transport-Security (HSTS) header. Please add HSTS to all responses with max-age=63072000; includeSubDomains; preload. Show me where to add this in my Next.js/Vite configuration.