Skip to main content
Back to Blog
Tutorial4 min read

How to Deploy a Lovable App to Production (Without Getting Hacked)

Lovable gets you to a working prototype fast, but deploying to real users requires security hardening, environment setup, and proper configuration. Here's the full checklist.

Share:

You've built your app with Lovable. It works in the preview. You're ready to share it with the world. But before you point a custom domain at it and start driving traffic, there are critical steps between "it runs" and "it's production-ready."

This guide covers everything you need to check, fix, and configure before deploying a Lovable app to real users.

1. Lock down Supabase Row Level Security

This is the single most important step. Lovable uses Supabase for its backend, and by default, RLS is often disabled or misconfigured on generated tables.

Without proper RLS policies, any authenticated user can read, update, or delete any row in your database — not just their own data. This isn't theoretical. It's the most common security mistake we find in Lovable apps.

What to check:

  • Go to your Supabase dashboard, open each table, and verify RLS is enabled
  • Ensure every table has policies that restrict access based on auth.uid()
  • Test by logging in as one user and attempting to access another user's data

Example policy for a projects table:

CREATE POLICY "Users can only see their own projects"
ON projects FOR SELECT
USING (auth.uid() = user_id);

Apply similar policies for INSERT, UPDATE, and DELETE operations.

2. Move secrets server-side

Check your Lovable-generated code for any API keys or secrets in client-side files. The Supabase anon key is fine in the browser — it's designed to be public. But any other keys (payment processors, email services, third-party APIs) must be server-side only.

Red flags to search for:

  • API keys in files under src/ that aren't SUPABASE_URL or SUPABASE_ANON_KEY
  • Hardcoded tokens or secrets in component files
  • Environment variables prefixed with VITE_ that contain sensitive values

3. Add input validation

Lovable generates forms that look great but often skip server-side validation. Client-side validation is for user experience. Server-side validation is for security.

For every form in your app:

  • Validate all fields on the server before writing to the database
  • Set maximum lengths to prevent abuse
  • Sanitise text inputs to prevent XSS
  • Validate URLs, emails, and other structured data with proper schemas

4. Handle authentication edge cases

Lovable's generated auth flows handle the happy path — sign up, log in, log out. But production auth needs to handle:

  • Expired sessions — What happens when a user's token expires mid-session?
  • Concurrent sessions — Can a user be logged in on multiple devices?
  • Password reset flow — Is it actually wired up and working?
  • OAuth callbacks — If you're using social login, are the redirect URLs configured for your production domain?

5. Set up error monitoring

If your app breaks in production and you don't have monitoring, you'll find out from an angry user instead of a dashboard.

Set up error tracking (Sentry is the standard choice) so you get alerted the moment something fails. This takes 15 minutes and saves hours of debugging. For a full breakdown of what causes production crashes, read why AI-generated apps keep crashing.

6. Configure your custom domain

When you connect a custom domain:

  • Ensure HTTPS is enforced (no HTTP access)
  • Update your Supabase auth settings with the new domain
  • Update any OAuth redirect URLs
  • Update your sitemap and canonical URLs

7. Add analytics

You need to know what users actually do in your app. Install analytics before launch so you have data from day one. At minimum, track:

  • Page views and user flows
  • Sign-up conversion rate
  • Key feature usage
  • Error rates

8. Test on real devices

Open your app on an actual phone. Not just browser dev tools — a real phone screen. Test every flow: sign up, core features, settings, log out. Mobile users are less forgiving of broken layouts and tiny tap targets.

The deployment checklist

Before going live, verify:

  • [ ] RLS enabled and tested on every Supabase table
  • [ ] No secrets in client-side code
  • [ ] Server-side validation on all form inputs
  • [ ] Auth edge cases handled (expired sessions, password reset)
  • [ ] Error monitoring installed and alerting
  • [ ] Custom domain with HTTPS enforced
  • [ ] Analytics tracking installed
  • [ ] Tested on real mobile devices
  • [ ] Rate limiting on public API endpoints
  • [ ] Backup strategy for your database

Need help?

If this checklist feels overwhelming, that's normal. Most Lovable apps need 1-2 weeks of focused hardening before they're genuinely production-ready.

Request a free auditwe specialise in Lovable apps and will send you a prioritised list of what needs fixing before launch.

Get articles like this in your inbox

Practical tips on shipping vibe-coded apps. No spam.

Keep reading

5 min readHow to Deploy a v0 App to Production (From UI Components to Full Product)5 min readHow to Deploy a Replit App to Production (And Whether to Stay on Replit)

Want to know where your app stands?

Get a free 5-point security snapshot from our dev team — no strings attached.

Get Free Audit →Book a Call