Security Audit
Catch RLS leaks before launch
AI coding tools love to ship apps with disabled Row Level Security, hardcoded API keys in JS bundles and missing security headers. Pantra scans for the exact patterns that have caused every public Lovable and Cursor data leak so far — and tells you how to fix them in your stack.
The vibe-coded data leak epidemic
In 2024–2025 dozens of Lovable, Bolt and Cursor apps were found leaking entire user tables through the public Supabase REST endpoint — because the app was built with AI assistance, the developer never thought to enable Row Level Security. Others shipped their SUPABASE_SERVICE_ROLE_KEY bundled into the frontend JS. This is not a theoretical risk. It is the single most common way an AI-built app goes public and gets dumped on a Telegram channel within 48 hours.
Every check Pantra runs
| Check | Severity | What we check | Why it matters |
|---|---|---|---|
| Supabase RLS probe | Critical | Detects the Supabase anon key, enumerates tables via REST, and checks whether unauthenticated SELECT succeeds | If RLS is off, anyone can read every row in your database. |
| Service-role key exposure | Critical | Regex scan of the JS bundle for SUPABASE_SERVICE_ROLE_KEY and other admin-level tokens | A leaked service role key bypasses RLS entirely — full database access. |
| Stripe / OpenAI / Anthropic keys in client | Critical | Pattern-based detection of sk_live_, sk-proj-, sk-ant- in the JS bundle | Anyone viewing source can drain your OpenAI credits or issue Stripe charges. |
| Content-Security-Policy header | High | Checks for a CSP header and flags unsafe-inline/unsafe-eval directives | The single strongest defense against XSS and supply-chain attacks. |
| Strict-Transport-Security (HSTS) | High | Presence of HSTS header with reasonable max-age | Prevents protocol-downgrade attacks on login pages. |
| X-Frame-Options / frame-ancestors | High | Prevents the page from being framed by malicious sites (clickjacking) | Without this, an attacker can frame your app and hijack clicks. |
| HTTPS enforcement | High | HTTP requests redirect to HTTPS; certificate is valid; no mixed content | Any HTTP leg is a session-hijack vector on public Wi-Fi. |
| X-Content-Type-Options: nosniff | Medium | Prevents browser MIME-sniffing | Blocks a class of attacks where uploaded files are interpreted as JS. |
| Referrer-Policy header | Medium | Set to at least strict-origin-when-cross-origin | Prevents leaking internal URLs to third parties via the Referer. |
| Permissions-Policy header | Medium | Restricts access to sensitive browser APIs (camera, geolocation, microphone) | Limits the blast radius if a third-party script is compromised. |
| Public-facing Supabase REST exposure | Medium | Checks that the Supabase project URL is not leaked in client-side XHR patterns if it was not intended to be public | Some apps try to keep their Supabase URL private via proxies; we flag accidental leaks. |
| Server banner disclosure | Low | Server and x-powered-by headers do not leak specific versions | Version-specific banners help attackers pick CVEs targeted at you. |
| Dependency CVE summary | Info | Public bundle analyzed for known-vulnerable library versions (opt-in heuristic) | Old React, Axios, Lodash versions have public CVEs still exploited in the wild. |
How the security scan works
1. External probe only — never authenticated
Pantra only accesses what an attacker on the public internet can access. We never ask for credentials, never log into your account, never hit authenticated routes. Everything we find is something a malicious actor would also find in 90 seconds.
2. JS bundle fetch and parse
We pull every script tag, fetch the bundle, and run regex patterns tuned to the anon-key, service-role-key and common LLM/payment API key shapes. Minified code is deobfuscated enough to catch concatenated keys.
3. Supabase REST probe (read-only)
If we find a Supabase project, we issue an unauthenticated GET against /rest/v1/ with the anon key. If tables respond with rows — RLS is off. We never write or modify data.
4. Header evaluation
HEAD and GET responses are analyzed against OWASP Secure Headers Project baselines. Missing or weak headers get severity-ranked findings.
5. Stack-aware fix-prompt
Fixes differ by stack. Enabling RLS in Lovable means a SQL migration in the Supabase editor; in Next.js it means a middleware + server-component pattern. The prompt reflects that.
Sample fix-prompt for a Supabase + Lovable app
Fix these critical security issues in my Lovable app right now:
1. ENABLE ROW LEVEL SECURITY on every public-facing Supabase table.
In the Supabase SQL editor, run for each table:
alter table public.{table} enable row level security;
Then add policies:
create policy "owner can read" on public.{table}
for select using (auth.uid() = user_id);
create policy "owner can write" on public.{table}
for insert with check (auth.uid() = user_id);
2. REMOVE the SERVICE_ROLE key from the frontend.
- Delete any import.meta.env.VITE_SUPABASE_SERVICE_ROLE_KEY usage.
- Move admin operations into an Edge Function that reads the key from
the Supabase project secrets.
3. REMOVE any sk_live_ / sk-proj- / sk-ant- keys from client code.
Those keys belong server-side only. Proxy the call through an Edge
Function or a Next.js API route.
4. ADD security headers via a Supabase Edge Function or your host config:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
5. FORCE HTTPS by enabling the "Always use HTTPS" toggle in your hosting
provider (Vercel, Netlify, Cloudflare Pages all expose this).Stacks we auto-detect for fix-prompts
Pantra vs. manual pen-test vs. free scanners
Free scanners like securityheaders.com check headers — nothing else. Manual pen-tests cost €3k–€15k. Pantra closes the 80/20 gap: catches the issues that have actually leaked apps in the wild.
| Aspect | Manual | Other tools | Pantra |
|---|---|---|---|
| RLS detection | Requires database expert | Not checked | Probe-based, every scan |
| Exposed API key detection | Code review | Basic pattern match | Stripe / OpenAI / Anthropic / Supabase patterns |
| Header audit | Manual curl | Yes | Yes, with remediation prompt |
| Stack-specific remediation | Depends on consultant | No | Lovable / Cursor / Bolt / v0 / Next.js |
| Price | €3k–€15k per audit | Free (but shallow) | From $19/month, daily auto |
Works great with
Which plan includes this
Included on every plan. RLS probes and key-exposure scans are always enabled.
Common questions
Does Pantra access my database directly?add
No. We only probe publicly accessible endpoints with the anon key that is already shipped to every visitor. Read-only. Exactly what an attacker would do.
What if my anon key has RLS correctly configured — will you flag a false positive?add
No. If RLS is on and policies block anonymous reads, the probe returns an empty array or a permission-denied error. That is a pass. Green check, no finding.
Is Pantra a replacement for a real security audit?add
No. Pantra catches the 15-20 issues that cause 90% of vibe-coded leaks. It does not replace a SOC 2 audit, a professional pen-test, or a cryptographic review for a financial product.
Can I exclude the Supabase RLS probe?add
Yes, via an Agency-plan setting. Most users keep it on — the probe is non-destructive and matches what any attacker would do on day one.
What if I use Firebase or Neon instead of Supabase?add
We still scan headers, HTTPS and leaked API keys. RLS probes are currently Supabase-only; Firebase Firestore rule probes are on the roadmap.
Do you store my scan results?add
Yes, inside your account, so the dashboard can show trends. You can delete all history at any time. Public scans (no account) are retained for 30 days then purged.
Will a fix-prompt break my app?add
Enabling RLS WILL break queries that rely on unauthenticated reads. That is the point. The fix-prompt tells the AI to add proper policies so the app keeps working for logged-in users.
How often should I scan for security?add
Daily. AI tools regenerate code on every change; a safe app at lunchtime can leak by evening because a feature added a new table without RLS. That is why every Pantra plan runs a full scan every 24 hours.
Can I share the results with my CTO or client?add
Yes. Every scan has a public shareable URL on pantra.io/scan/[domain]. Pro and Agency let you remove the Pantra badge from those pages.
What about OWASP Top 10?add
Pantra covers the OWASP issues that manifest as misconfigurations visible from the outside — broken access control (RLS), cryptographic failures (HTTP leg), security misconfiguration (headers), vulnerable components (dependency banners). Issues that require authenticated access, like SSRF or business-logic flaws, need a traditional pen-test.