How long did this audit take?

The full audit was delivered within 3 business days. The most critical security fixes took the founder just hours to implement.

What was the most critical finding?

Missing row-level security on Supabase tables. Any authenticated user could read or modify other users' data by changing the ID in API requests.

What tools was the app built with?

The app was built with Lovable using React and Supabase. It included AI integrations and a multi-step onboarding flow.

Case Study: SaaS App Audit

What we were looking at

A SaaS platform connecting users with opportunities using AI matching

The founder built this app using Lovable to move fast. The core flow: users create a profile, upload documents, and the app uses AI to match them with relevant opportunities. It connects to several outside services for data, AI matching, and email.

On the surface, the app worked. Users could sign up, upload documents, search for opportunities, and track their activity. The question was whether it was safe to put real users on it.

Not everything was broken

The audit found real strengths alongside the problems

User data was locked down

Data protection rules were in place on every database table. Users could only see their own data. This was set up correctly from the start.

Login checks on most features

Most of the app’s behind-the-scenes features properly checked that users were logged in. The pattern was there, just not applied everywhere.

Usage limits already built

The tools to prevent abuse were already in the app. They just weren’t connected to the features that needed them most.

Good error handling

When outside services failed or were overloaded, the app handled it gracefully instead of crashing. The defensive patterns were solid.

Key Takeaway

The foundation was good. The gaps were in consistency.

The security patterns already existed in some places. The roadmap focused on applying them everywhere. Targeted fixes, not a rebuild.

What would have caused real damage

4 findings that needed to be fixed before any public access

CriticalAnyone can use the search feature without being logged in

The search feature calls paid outside services every time someone uses it, but it doesn’t check whether the person is logged in first. Anyone who figures out the right URL can use it directly. A single script could run up the bill in under an hour.

// supabase/functions/[redacted]/index.ts// No JWT verification
Request → parse JSON → call third-party API
// No rate limiting, no usage caps, no auth check

Suggested Approach

Add a login check (the pattern already exists elsewhere in the app), add limits on how often each user can search, and set a daily cap.

CriticalAnyone can read other users’ personal information

The AI matching feature trusts whoever calls it to say which user they are. It then uses a special admin-level connection to read that user’s personal data. Anyone can read anyone else’s personal information just by guessing their user ID.

// supabase/functions/[redacted]/index.tsconst { userId } = await req.json() // trusts the caller
const client = createClient(url, SERVICE_ROLE_KEY) // bypasses RLS
// Anyone can read any user's skills, job title, location

The audit also found: private keys accidentally saved in the project files and no restrictions on which websites can talk to the app. Both critical, both fixable in under 2 hours combined.

Where it breaks under load

Cost exposure was the biggest risk

The Core Problem

Features that call paid services with no login check and no usage limits.

The audit estimated costs from 10 users to 1,000+ and found that without login checks and usage limits, a single script could drain the budget in under an hour. The report included exact cost projections and which features were responsible.

Beyond security

The audit covered UX, accessibility, performance, code quality, and test coverage

CriticalNo safety net. The entire test setup was a single placeholder that didn’t check anything.

HighThe app wasn’t usable with screen readers or keyboard navigation. Users with disabilities couldn’t use it.

MediumStill showing the AI tool’s default metadata in page titles, descriptions, and share links.

Low“Apply” button didn’t actually submit anything. Users could believe they’d applied when they hadn’t.

Plus 18 more findings across performance, code quality, architecture, and scalability. Each with severity, evidence, and a suggested approach with effort estimate.

Production readiness roadmap

26 findings, organized into 4 phases by priority

Phase 1

Before any public access

2-3 days

Close all critical security issues. Login checks, usage limits, website restrictions, and input safety.

Phase 2

First sprint post-launch

3-5 days

Speed, accessibility, and code quality fixes. Make the app faster and easier to use for everyone.

Phase 3

First month

5-8 days

Add a safety net for future changes, speed up loading, and clean up unused pieces.

Phase 4

Ongoing

Continuous

Keep an eye on things, make the app fully accessible, add thorough testing, review outside services.

The Bottom Line

Phase 1 takes 2-3 days and closes all critical vulnerabilities.

The audit turned 26 unknown unknowns into a prioritized, actionable roadmap. Every finding includes severity, code evidence, a suggested approach, and an effort estimate.

What we were looking at

A SaaS platform connecting users with opportunities using AI matching

On the surface, the app worked. Users could sign up, upload documents, search for opportunities, and track their activity. The question was whether it was safe to put real users on it.

Not everything was broken

The audit found real strengths alongside the problems

User data was locked down

Data protection rules were in place on every database table. Users could only see their own data. This was set up correctly from the start.

Login checks on most features

Most of the app’s behind-the-scenes features properly checked that users were logged in. The pattern was there, just not applied everywhere.

Usage limits already built

The tools to prevent abuse were already in the app. They just weren’t connected to the features that needed them most.

Good error handling

When outside services failed or were overloaded, the app handled it gracefully instead of crashing. The defensive patterns were solid.

Key Takeaway

The foundation was good. The gaps were in consistency.

The security patterns already existed in some places. The roadmap focused on applying them everywhere. Targeted fixes, not a rebuild.

What would have caused real damage

4 findings that needed to be fixed before any public access

CriticalAnyone can use the search feature without being logged in

// supabase/functions/[redacted]/index.ts// No JWT verification
Request → parse JSON → call third-party API
// No rate limiting, no usage caps, no auth check

Suggested Approach

Add a login check (the pattern already exists elsewhere in the app), add limits on how often each user can search, and set a daily cap.

CriticalAnyone can read other users’ personal information

The audit also found: private keys accidentally saved in the project files and no restrictions on which websites can talk to the app. Both critical, both fixable in under 2 hours combined.

Where it breaks under load

Cost exposure was the biggest risk

The Core Problem

Features that call paid services with no login check and no usage limits.

Beyond security

The audit covered UX, accessibility, performance, code quality, and test coverage

CriticalNo safety net. The entire test setup was a single placeholder that didn’t check anything.

HighThe app wasn’t usable with screen readers or keyboard navigation. Users with disabilities couldn’t use it.

MediumStill showing the AI tool’s default metadata in page titles, descriptions, and share links.

Low“Apply” button didn’t actually submit anything. Users could believe they’d applied when they hadn’t.

Plus 18 more findings across performance, code quality, architecture, and scalability. Each with severity, evidence, and a suggested approach with effort estimate.

Production readiness roadmap

26 findings, organized into 4 phases by priority

Phase 1

Before any public access

2-3 days

Close all critical security issues. Login checks, usage limits, website restrictions, and input safety.

Phase 2

First sprint post-launch

3-5 days

Speed, accessibility, and code quality fixes. Make the app faster and easier to use for everyone.

Phase 3

First month

5-8 days

Add a safety net for future changes, speed up loading, and clean up unused pieces.

Phase 4

Ongoing

Continuous

Keep an eye on things, make the app fully accessible, add thorough testing, review outside services.

The Bottom Line

Phase 1 takes 2-3 days and closes all critical vulnerabilities.

The audit turned 26 unknown unknowns into a prioritized, actionable roadmap. Every finding includes severity, code evidence, a suggested approach, and an effort estimate.

A Lovable-built app. 26 findings. No safety net. A clear path to launch.

What we were looking at

Not everything was broken

User data was locked down

Login checks on most features

Usage limits already built

Good error handling

What would have caused real damage

Where it breaks under load

Beyond security

Production readiness roadmap

Let’s figure out what you need.

Your app might have the same gaps.

A Lovable-built app. 26 findings. No safety net. A clear path to launch.

What we were looking at

Not everything was broken

User data was locked down

Login checks on most features

Usage limits already built

Good error handling

What would have caused real damage

Where it breaks under load

Beyond security

Production readiness roadmap

Let’s figure out what you need.

Your app might have the same gaps.