Pillar / Production Readiness

Why Lovable Apps Fail in Production

The five patterns that show up in every audit, why AI builders ship them by default, and what "production-ready" actually means once your app has real users.

The thesis. Lovable, Bolt, V0, and other AI app builders are excellent for prototyping. The apps they ship look great in demo, work fine for the first user, and feel production-grade. But the same five gaps appear in basically every Lovable-built app I look at: leaked secrets, Supabase RLS off, no rate limits, unsigned Stripe webhooks, and server-side validation missing. The pattern isn't a bug in any individual app. It's a consequence of what AI builders optimize for.

In this article

The pattern: AI builders ship demo-quality code
The five patterns that show up in every audit
What "production-ready" actually means
How to know if your app has any of these issues
The fix path: DIY versus hire it out

The pattern: AI builders ship demo-quality code by default

AI app builders are optimized for one thing above everything else: getting a working prototype in front of the user as fast as possible. That's the moment the user falls in love with the tool and keeps building. It's the moment the tool earns its retention.

The thing is, "works for the first user" and "works in production" are radically different bars. Most production-readiness work is invisible. It's the layer that handles edge cases, abuse, scale, and adversarial users. None of it makes the demo more impressive. All of it is critical the moment real users show up.

AI builders don't write production-readiness code by default because writing it doesn't improve the demo. The prompt the AI receives is something like "build me an app that does X." It is not "build me an app that does X and also enables Row-Level Security on every table, validates inputs server-side, signs and verifies every webhook, and rate-limits every endpoint that costs money." If you don't ask for the production work, you don't get it.

And here is the deeper problem: non-technical founders don't know what to ask for. If you've never run a SaaS at scale, you don't know that webhook signatures exist. You don't know that RLS is off by default. You don't know that the client can't be trusted to validate its own input. So you don't ask, and the AI doesn't volunteer.

The result is a generation of shipped apps that look polished, work for the first user, and break the moment they meet the real world.

The five patterns that show up in every audit

Across the Lovable, Bolt, and V0 apps I've studied, the same five issues recur. Severity, blast radius, and fixability vary, but the recurrence is constant.

Pattern 01 / Critical

Secrets baked into the JavaScript bundle

AI builders will happily generate code that references API keys directly. When the app builds, those keys end up in the bundle that ships to every visitor. Stripe secret keys, OpenAI keys, Supabase service-role keys: all of them visible to anyone who opens View Source.

The fix is two-step. First, rotate any keys you find leaked. Second, move all secret-using code to the server (Vercel serverless functions, Supabase Edge Functions, or a separate API). Only "publishable" keys (Stripe pk_, Supabase anon) belong in the client.

The check: open your deployed app, View Source, search the bundle for sk_, key_, or your provider's prefix. If anything turns up, you have leaks.

Read the full guide →

Pattern 02 / Critical

Supabase Row-Level Security disabled by default

Lovable connects your app to Supabase using the anon key. The anon key is intentionally public. Supabase's security model assumes you've enabled Row-Level Security on every table and written policies that scope access by user. AI builders don't do this automatically. Every new Postgres table starts with RLS off.

The result: anyone with DevTools can SELECT, INSERT, UPDATE, or DELETE on any table in your public schema. The most expensive failure mode in my audits, because it doesn't break visibly. Your app works fine. You don't notice anything wrong until someone scrapes your users table or pollutes your data.

Read the full guide →

Pattern 03 / High

No rate limiting on AI endpoints

Most AI-built apps have at least one feature that calls an LLM (chat, generate, summarize, draft). The endpoints powering those features rarely have any rate limiting. There's no throttle by IP. There's no per-user cap. There's no abuse detection.

One bored user with a loop script can burn through your entire OpenAI or Anthropic budget overnight. Stories of $1,000-$5,000 surprise bills from a single abusive user are common in the indie founder community. The financial damage is usually irreversible by the time you notice.

The fix: put a rate limiter in front of every endpoint that costs money to call. Upstash Ratelimit + Vercel is the standard serverless-friendly stack. Per-IP, per-authenticated-user, and global cost cap are layered together for real protection.

Read the full guide →

Pattern 04 / Critical

Stripe webhooks not signature-verified

If your app processes payments, Stripe sends events to your webhook endpoint when a payment succeeds, a subscription renews, a refund issues. Your handler is supposed to verify that each event really came from Stripe by checking a signature header against your webhook signing secret. AI-generated handlers usually skip this entirely.

Without verification, anyone who finds your webhook URL can POST a fake "payment.succeeded" event and trigger your fulfillment logic for free. If you grant subscription access or unlock paid features in your webhook handler, an attacker gets those things for $0.

Read the full guide →

Pattern 05 / High

Server-side input validation missing

AI builders will generate forms with client-side validation: required attributes, regex patterns, error messages on blur. That's UX, not security. The server-side handler that receives the form data typically trusts whatever JSON arrives.

A curl request that bypasses the form sends whatever the attacker wants. If the server doesn't independently validate types, lengths, ranges, and shapes, you get garbage in your database, injection vectors, or business logic exploits.

The fix: every endpoint that writes to your database needs server-side validation. Zod, Yup, or hand-rolled validators all work. The discipline is that the server treats the client as untrusted, always.

What "production-ready" actually means

The word "production" gets used loosely. When AI builders say an app is "production-ready," what they often mean is "the happy path works and the styling is polished." That's a much lower bar than what production engineers mean.

For production engineers, "production-ready" is a checklist:

The app handles adversarial users, not just well-meaning ones
Failure modes are explicitly considered and either prevented or gracefully handled
Secrets and access control are explicitly designed, not implicit
Cost-sensitive operations are throttled and metered
Data integrity is enforced server-side, not client-side
The system survives a 10x or 100x traffic spike without falling over
Observability exists so problems can be diagnosed quickly

An AI-built app that ships with the five patterns above doesn't meet any of those criteria. It works for the first user. It might work for the first ten. It will break the moment any of the following happens: a bored teenager finds your endpoint, a scraper notices your data is unprotected, a competitor probes your security, or a real wave of users tests your validation.

How to know if your app has any of these issues

Five quick checks. Each takes under five minutes. If you only have time for one, do the RLS check, because that's the most expensive failure mode.

Secrets check. Open your deployed app, right-click, View Page Source. Search the bundle for sk_, key_, or your provider's prefix. Anything found = leak.
RLS check. Open Supabase Dashboard, look at the RLS column on every table in public. Any "Disabled" tables = vulnerable.
Rate limit check. Find your most expensive AI endpoint. Hit it 100 times from a script. If it didn't reject any of them, no rate limit exists.
Webhook check. Search your webhook handler code for constructEvent. If it's missing, signatures aren't verified.
Validation check. Find any endpoint that writes to your database. curl a payload that fails the form's client-side rules. If the server accepts it, validation is client-only.

If you find any of these, the rest of this site has the fixes.

Deep-dive guides on the worst offenders

Supabase Row-Level Security for Lovable Apps

Complete walkthrough of why Lovable apps ship with RLS off, how to verify in 60 seconds, and how to write policies that actually work. SQL examples included.

Stripe Webhook Security for Lovable Apps

How to verify webhook signatures with constructEvent(), why AI builders skip it, and how to test that your handler rejects unsigned requests. Code examples for Vercel/Node.

Rate Limiting for Lovable Apps

How to stop a surprise $5,000 OpenAI bill from one user with a loop script. Layered rate limiting (per-IP, per-user, global cost cap) using Upstash + Vercel. Code examples included.

Secrets Management for Lovable Apps

How AI builders leak API keys into the JavaScript bundle, the 60-second View Source check, and how to migrate every secret-using call site to a server-side function. Covers Stripe, OpenAI, Anthropic, and Supabase key types.

The Lovable Production Checklist

The full 14-item checklist Rivetz uses for every audit. Each item has severity, how to check, and how to fix. Free, no email gate.

The fix path: DIY versus hire it out

If you have engineering experience, every pattern above is fixable in a weekend. The patterns are well-documented, the fixes are well-established, and the tools (Supabase, Stripe, your serverless platform) all have solid SDKs and documentation.

If you don't have engineering experience, the situation is harder. Reading through Postgres RLS syntax, understanding how Stripe's webhook signature is computed, or wiring up server-side validation requires technical context you may not have time to build. The cost of doing it wrong is also high: a half-implemented RLS policy can break your app, and a half-implemented rate limiter is worse than no rate limiter if it gives users a false sense of safety.

The two reasonable paths:

DIY with a checklist. Work through the production checklist item by item. Each one has the actual fix. Budget a full weekend, more if your app is complex. Test thoroughly before considering anything done.
Hire it out. A fixed-price audit and cleanup runs a few thousand dollars. Less than the cost of a single bad week of OpenAI overage from a missing rate limit, and orders of magnitude less than the cost of a data leak or a public security incident.

Whichever path you take, the worst option is the third one: ignore the issues and hope no one finds them. The Lovable apps that have already shipped with these defaults aren't sitting in a vacuum. Bots, scrapers, and curious users find apps faster than founders realize. The clock starts the moment your app is publicly reachable.

Want this done for you?

Rivetz audits and hardens Lovable, Bolt, and V0-built apps for production. The audit ($1,000, 3 business days) finds every issue and delivers a written report plus a recorded Loom walkthrough. The cleanup ($3,500, 14 business days) implements every CRITICAL and HIGH severity fix.

100% async. No calls. No scope creep. Fixed price.

See offers See full checklist