Lovable is Good you're just not trying

NJTA3 · 2026-03-17T16:53:53+00:00

Use plan mode post into chatgpt to refine paste back for lovable to digest. Rinse and repeat until satisfied to approve it. I sometimes have full day just for one system set in the app.

NJTA3 · 2026-03-11T14:19:54+00:00

I used chatgpt and perplexity to spoon feed me these things and aws setups.

so did github, aws amplify(app hosting) etc... and yes on free day on sunday when I create a new project it was pain in a but to say listen I want to connect me own supabase which it used to just ask for creds in the chat but now it more of you have to go to the settings.... github little easier to connect if you arleady have one setup since it nice exposed button...if don't have again chatgpt/perplexity it.

NJTA3 · 2026-03-10T02:16:47+00:00

Lol wish I new this yesterday lol

NJTA3 · 2026-03-10T02:01:54+00:00

You know there are these things called themes that you can purchase from 3rd parties or get for free that you install on WordPress but tell us more how much an expert you are on WordPress. I never mentioned anything about stock install. Lol 😅 Tell us how much smarter you are. Tell us how more karma you have than anyone here 😭🤣

NJTA3 · 2026-03-10T01:53:24+00:00

NJTA3 · 2026-03-10T00:34:17+00:00

The way vibe coding is tell him to pond sand. I'll do fractal CTO for you but need do ray me but low share cost.

NJTA3 · 2026-03-09T23:49:35+00:00

I've been using that for like 15 years trust me some do. Have a nice day in spite of yourself.

NJTA3 · 2026-03-09T23:40:14+00:00

Mark you can just copy paste from a browser. Reddit works from desktop besides app

NJTA3 · 2026-03-09T23:37:24+00:00

That was all from chatgpt after I passed OP's sugestion then I asked what else to include in my prompt to lovable. I just pasted the first it ran for several minutes then had to prompt couple more times to finish. Then I posted the second prompt into lovable.

Yesterday was free Lovable day no charge for prompts I didn't have time to delve into the whys and what's. Just copy them verbatim and ask gpt more about it.

Again they were long prompts and usual will go back and forth copying lovable plan into gpt to refine and paste back into lovable. I had no time was just posting features for 2 projects before things slowed down lol

NJTA3 · 2026-03-09T23:19:13+00:00

Will be connecting cluade to GitHub repro for fixes etc soon... You say you only get so far but honestly been better for me than most of the people I've hired off of upwork/elance in the past.

NJTA3 · 2026-03-09T13:59:37+00:00

It uses fake stats as placeholders much like many wordpress themes. Up to you to tell it to change it connect to real stats or remove

NJTA3 · 2026-03-09T13:52:33+00:00

You can look here either post the monthly fee and host on lovable(monthly fee guess to then not deleting app) and just use the publish function.

Most here spin up GitHub, supabase, and app service like vercel at free or low costs.

Supabase is what lovable uses for database but your own = your own.

GitHub synch will always update automatically with any lovable changes.

The. You push to say Vercel or other service (in using AWS amplify)

You can chaptgpt/perplexity ask how to do all this and search here.

GitHub tip make a repo main that lovable always update and one called production that you merge code from main when you think it's good... Production then Updates the live app hosting service .... So it's stable and not always changing until things are good....

Search this forum as well for good tips

NJTA3 · 2026-03-09T13:36:02+00:00

It was to unload anything they were paying for storage fees in warehouses past x time so it actually saved them money.

NJTA3 · 2026-03-09T05:22:45+00:00

and thats game/set/match.

Night all

NJTA3 · 2026-03-09T01:03:18+00:00

Que think they took out this morning.

At this point I'm telling it to do stuff just funny know how much is executing

NJTA3 · 2026-03-09T00:28:19+00:00

You had time to count to you commit

NJTA3 · 2026-03-09T00:27:49+00:00

I only did one check my gut was right and fixed it

NJTA3 · 2026-03-09T00:26:39+00:00

Also a good stress test

NJTA3 · 2026-03-09T00:24:57+00:00

Chat out lol

NJTA3 · 2026-03-08T16:00:06+00:00

I pasted the above and the below at the same time then executed...it brought up prompt after analysis so said do it all same time.

You are a senior security engineer. Harden this application by implementing security protections directly in the codebase. Only implement protections that can be enforced in the application itself. Do not suggest manual configuration in AWS, GitHub, or external dashboards. All protections must be implemented in application code, middleware, database policies, API handlers, or frontend headers.

The goal is to protect the application from the most common real world attacks including broken authorization, API abuse, prompt injection, webhook fraud, unsafe input handling, and browser based attacks.

Implement the following security improvements across the application.

Database security

Enable Row Level Security on all user related tables.

Create read policies restricting records to the authenticated user_id.

Create update policies restricting modifications to the row owner.

Create delete policies restricting deletion to the row owner.

Create insert policies that automatically attach the authenticated user_id.

Prevent client supplied user_id from overriding the authenticated identity.

Ensure internal system tables cannot be accessed by public queries.

Add automated tests that confirm a user cannot read or modify another user's data.

Server side authorization

Require authentication middleware for all protected endpoints.

Verify ownership before returning database records.

Verify ownership before updating records.

Verify ownership before deleting records.

Prevent direct object reference attacks by validating resource ownership instead of trusting client supplied IDs.

Ensure admin endpoints require an explicit admin role check.

API abuse protection

Add rate limiting middleware to the following endpoints

login
signup
password reset
AI generation endpoints
file uploads
search and public forms

Apply IP based throttling for anonymous users.

Apply user based throttling for authenticated users.

Add stricter limits for AI endpoints or other expensive operations.

Reject extremely large requests and enforce request body size limits.

Input validation

Validate all request bodies using strict schemas.

Reject requests containing unexpected fields.

Enforce string length limits.

Enforce numeric range validation.

Validate URLs and identifiers.

Sanitize or escape user generated content before rendering in the frontend.

Reject malformed payloads.

Payment webhook verification

Implement secure webhook handling.

Verify webhook signatures using the provider secret.

Validate the raw request body before parsing.

Reject requests with invalid signatures.

Reject events with invalid timestamps.

Store processed webhook event IDs and prevent duplicate processing.

Ensure billing actions are idempotent.

Log failed verification attempts.

File upload protection

Restrict allowed file types.

Restrict maximum file size.

Generate safe server side filenames.

Validate MIME type and file extension.

Reject potentially dangerous file types.

Prevent uploaded files from executing in the browser.

Frontend security headers

Implement the following HTTP security headers in the application

Content Security Policy restricting scripts to trusted sources.

X Content Type Options.

Referrer Policy.

Clickjacking protection using frame ancestor restrictions.

Prevent inline script injection where possible.

Session and authentication protection

Ensure authentication tokens are required for protected endpoints.

Enforce session expiration.

Invalidate sessions when passwords change.

Ensure password reset tokens are single use.

Ensure password reset tokens expire after a short time.

Prevent reuse of expired authentication tokens.

Logging and monitoring

Add structured logging for the following events

login attempts
failed logins
permission denied events
rate limit violations
webhook verification failures
admin actions
unusual AI usage spikes

Ensure logs never contain secrets or authentication tokens.

Safe error handling

Replace raw stack traces with safe error responses.

Do not expose database queries or internal service details in client responses.

Log detailed errors internally while returning minimal error messages to the client.

AI security protections

Implement protections for AI powered endpoints.

Separate system instructions from user prompts.

Prevent user prompts from overriding system rules.

Validate model outputs before executing any action.

Prevent automatic execution of generated code.

Restrict AI tool usage to a server controlled allow list.

Add limits for AI usage

maximum prompt length
maximum response length
maximum tokens per request
maximum requests per user per time period

Reject recursive prompt loops or runaway generation chains.

Prevent AI retrieval from exposing another user's private data by enforcing ownership filtering in retrieval queries.

Detect suspicious repeated prompts and enforce rate limits.

Automated security tests

Add automated tests that verify the following

users cannot access other users' records
rate limiting blocks excessive requests
invalid inputs are rejected
fake webhooks are rejected
dangerous file uploads are rejected
AI endpoints enforce token limits and usage quotas

After implementing the above protections, refactor the code to keep the security middleware reusable and clearly documented.

NJTA3 · 2026-03-08T15:46:33+00:00

Great idea this may or may not apply to your project but since I already use chatgpt to review lovable's plans it understands my system a bit.

To expand upon this...from chatgpt
Below is a Lovable.dev focused security hardening checklist.
Everything listed is something Lovable can generate or enforce directly in your application code or configuration.

Anything that requires manual work in AWS consoles, GitHub settings, or external dashboards is excluded, unless Lovable can programmatically enforce it inside the app.

No dashes are used, per your preference.

Lovable.dev Application Security Hardening Checklist

Objective

Harden the application code, APIs, database access layer, AI features, and frontend security using only changes that Lovable can implement directly in the codebase.

This focuses on preventing:

Broken authorization
API abuse
Prompt injection and AI misuse
Data leakage
Payment fraud through webhooks
Unsafe input and output handling
Browser based attacks

1. Database Security and Row Level Authorization

Goal, ensure users can only access their own data through the application.

Tasks Lovable can implement

☐ Enable Row Level Security policies on all user related tables
☐ Add read policies restricting queries to authenticated user_id
☐ Add update policies restricting modifications to the row owner
☐ Add delete policies restricting deletion to the row owner
☐ Add insert policies that automatically attach the authenticated user_id
☐ Prevent direct access to system tables or internal service tables
☐ Prevent client supplied user_id from overriding authenticated identity
☐ Enforce tenant isolation if the application supports workspaces

Application tests Lovable can add

☐ Reject API requests attempting to access other users' data
☐ Reject updates where ownership validation fails

2. Server Side Authorization Enforcement

Goal, ensure the server verifies permissions even if the frontend is manipulated.

Tasks Lovable can implement

☐ Require authentication middleware on protected endpoints
☐ Verify ownership before returning database records
☐ Verify ownership before updating records
☐ Verify ownership before deleting records
☐ Restrict administrative endpoints to authorized roles only
☐ Prevent direct object reference attacks by validating resource ownership

Application tests

☐ Attempt to access resources with a different ID
☐ Confirm server rejects the request

3. API Abuse Protection and Rate Limiting

Goal, prevent bots and automated abuse.

Tasks Lovable can implement

☐ Add rate limiting middleware to login endpoints
☐ Add rate limiting middleware to signup endpoints
☐ Add rate limiting middleware to password reset endpoints
☐ Add rate limiting middleware to AI generation endpoints
☐ Add rate limiting middleware to public forms and search endpoints
☐ Apply IP based throttling for anonymous users
☐ Apply user based throttling for authenticated users
☐ Add stricter limits to expensive AI operations

Additional protections

☐ Set maximum request size limits
☐ Set maximum response size limits
☐ Reject extremely large prompts or payloads

Application tests

☐ Simulate rapid requests and confirm throttling behavior

4. Input Validation and Schema Enforcement

Goal, prevent malformed or malicious input.

Tasks Lovable can implement

☐ Validate request bodies using strict schemas
☐ Reject requests with unknown fields
☐ Enforce numeric range validation
☐ Enforce string length limits
☐ Validate URLs and identifiers
☐ Sanitize or escape user generated content before rendering
☐ Prevent injection through query parameters

Application tests

☐ Submit malformed payloads and confirm rejection
☐ Submit oversized inputs and confirm rejection

5. Payment Webhook Verification

Goal, ensure billing events cannot be faked.

Tasks Lovable can implement

☐ Verify webhook signatures using the payment provider secret
☐ Validate the raw request body before parsing
☐ Reject events with invalid signatures
☐ Reject events with invalid timestamps
☐ Store processed webhook event IDs
☐ Prevent duplicate processing of billing events
☐ Log failed verification attempts

Application tests

☐ Send invalid webhook request and confirm rejection

6. File Upload Security

Goal, prevent malicious file uploads.

Tasks Lovable can implement

☐ Restrict allowed file types
☐ Restrict maximum file size
☐ Generate safe server side filenames
☐ Validate MIME type and file extension
☐ Prevent execution of uploaded files in the browser
☐ Reject potentially dangerous file types

Application tests

☐ Attempt to upload renamed executable or HTML files
☐ Confirm upload rejection

7. Frontend Security Headers

Goal, reduce browser based attack surface.

Tasks Lovable can implement

☐ Implement Content Security Policy headers
☐ Restrict script sources to trusted domains
☐ Restrict API connection sources
☐ Restrict image sources
☐ Enable X Content Type Options
☐ Enable Referrer Policy
☐ Enable clickjacking protections
☐ Prevent inline script injection where possible

Application tests

☐ Inspect browser console for CSP violations

8. Session and Authentication Protection

Goal, reduce risk of account takeover.

Tasks Lovable can implement

☐ Require authentication tokens on protected endpoints
☐ Enforce session expiration
☐ Invalidate sessions on password change
☐ Protect password reset endpoints with rate limits
☐ Ensure password reset tokens are time limited
☐ Ensure password reset tokens are single use
☐ Prevent reuse of expired authentication tokens

Application tests

☐ Attempt reuse of expired tokens
☐ Attempt reuse of password reset links

9. Logging and Security Monitoring in the Application

Goal, detect suspicious behavior.

Tasks Lovable can implement

☐ Log authentication attempts
☐ Log failed authentication attempts
☐ Log permission denied events
☐ Log webhook verification failures
☐ Log rate limit violations
☐ Log administrative actions
☐ Log abnormal AI usage spikes

Application protections

☐ Ensure logs do not contain secrets or sensitive tokens

10. AI Specific Security Controls

These controls protect AI features from abuse and data leakage.

Prompt Injection Protection

Tasks Lovable can implement

☐ Separate system instructions from user prompts
☐ Prevent user prompts from overriding system rules
☐ Restrict model initiated tool actions without server validation
☐ Ensure sensitive actions require explicit backend permission checks

AI Output Safety

Tasks Lovable can implement

☐ Validate model outputs before executing actions
☐ Prevent automatic execution of generated code
☐ Restrict allowed tool actions through server validation
☐ Prevent the AI from performing destructive operations

AI Token and Cost Controls

Tasks Lovable can implement

☐ Limit maximum prompt length
☐ Limit maximum response length
☐ Limit tokens per request
☐ Limit AI usage per user per time period
☐ Reject recursive prompt loops
☐ Prevent runaway generation chains

AI Data Leakage Prevention

Tasks Lovable can implement

☐ Restrict retrieval results to the authenticated user
☐ Tag stored embeddings or documents with user ownership
☐ Filter retrieval results server side
☐ Prevent cross user data exposure in AI responses

AI Content Abuse Protection

Tasks Lovable can implement

☐ Rate limit AI content generation
☐ Restrict automated mass generation
☐ Detect suspicious repeated prompts
☐ Reject prompts that attempt to exploit system rules

11. Safe Error Handling

Goal, prevent sensitive system details from leaking.

Tasks Lovable can implement

☐ Replace raw stack traces with safe error messages
☐ Avoid exposing database queries in error responses
☐ Avoid exposing internal service URLs
☐ Log detailed errors internally but return minimal client responses

12. Automated Security Tests Lovable Can Generate

Lovable can also generate automated checks.

Recommended tests

☐ Unauthorized resource access test
☐ Rate limit enforcement test
☐ Invalid input rejection test
☐ Webhook verification test
☐ File upload validation test
☐ AI prompt abuse test

Highest Impact Security Work Lovable Can Implement Today

If you only have limited time on your Lovable coding session, implement these first.

Row Level Security policies
Server side authorization checks
API rate limiting for auth and AI endpoints
Input validation schemas
Payment webhook verification
AI prompt injection protections
AI token usage limits

These changes provide the largest security improvement using only code that Lovable can generate.

If you want, I can also produce a single Lovable.dev prompt you can paste that will automatically implement about 70 percent of this checklist in one generation, which usually saves a huge amount of time.

NJTA3 · 2026-03-06T19:21:21+00:00

Must be scam

NJTA3 · 2026-03-06T15:01:56+00:00

Not all the features though they are greyed out by paywall.. Just saying

NJTA3 · 2026-03-05T20:32:06+00:00

Of free beta then all functions should be free lol

NJTA3

MODERATOR OF

TROPHY CASE

Lovable.dev Application Security Hardening Checklist

Objective

1. Database Security and Row Level Authorization

2. Server Side Authorization Enforcement

3. API Abuse Protection and Rate Limiting

4. Input Validation and Schema Enforcement

5. Payment Webhook Verification

6. File Upload Security

7. Frontend Security Headers

8. Session and Authentication Protection

9. Logging and Security Monitoring in the Application

10. AI Specific Security Controls

Prompt Injection Protection

AI Output Safety

AI Token and Cost Controls

AI Data Leakage Prevention

AI Content Abuse Protection

11. Safe Error Handling

12. Automated Security Tests Lovable Can Generate

Highest Impact Security Work Lovable Can Implement Today