Security·Lovable
SecurityLovable

Move API keys off the client bundleLovable

Keys in the JavaScript bundle are public. Attackers scan GitHub and deployed bundles for them 24/7. One exposed Stripe secret or OpenAI key can drain your account in hours.

rocket_launch

Fixing this in Lovable

AI full-stack app builder (React + Vite + Supabase)

Lovable runs React on Vite. `VITE_` prefixed vars leak to the client. Put secrets WITHOUT `VITE_` prefix in Lovable → Secrets, then call from a server route.

Lovable gotchas:

  • !Anything with `VITE_*` is client-visible by design — never put a service-role key there.

Using a different tool? Pick your stack:

LovableCursorBoltv0ReplitWindsurfClaude CodeBase44

The prompt for Lovable

Copy and paste this into your Lovable chat exactly as-is.

Fix my Lovable app — please make these exact changes in the Lovable editor:

CRITICAL: Move exposed API keys server-side immediately

1. I have accidentally exposed API keys in my frontend code. This is a critical security issue.
2. Move ALL API keys (OpenAI, Stripe, Anthropic, Supabase Service Role, AWS, SendGrid, etc.) to Supabase Edge Functions.
3. Create a Supabase Edge Function that makes the API call server-side and return only the result to the frontend.
4. Only the Supabase Anon Key should remain in the frontend code — everything else must be in Edge Function secrets.
5. After moving the keys, go to each provider dashboard and rotate/regenerate all leaked keys immediately — assume they are compromised.
6. Add /.env, /.env.local, and /.env.production to your .gitignore if not already there.

Why this matters

Every AI coding tool, when asked to integrate Stripe, OpenAI, or Supabase, has at some point written the secret key directly in a React component. The component ships to the browser, the browser downloads the JS bundle, the secret is now public forever — even after you "fix" it, attackers who scraped the bundle still have it.

Automated bots crawl GitHub, npm, Vercel deployments, and Lovable shares looking for exposed keys. The time from "key pushed" to "key abused" is often under 30 seconds. OpenAI has a team that watches for this and rotates keys automatically — but only if their detection catches it before an attacker does.

This is the #1 security finding in our audits of Lovable and Bolt apps. The fix is always the same: move the key to a server environment variable, create a backend endpoint that the client calls, and let the backend use the secret to talk to the real API.

How to use this prompt in Lovable

  1. 1. Open your Lovable project.
  2. 2. Copy the prompt above with the copy button.
  3. 3. Paste into the Lovable chat and send.
  4. 4. Review the diff, accept the changes, redeploy.
  5. 5. Verify the fix using the checklist below.

Common mistakes to avoid

  • error_outlineUsing `NEXT_PUBLIC_STRIPE_SECRET_KEY` — the prefix made it public. Every `NEXT_PUBLIC_*` ships to the browser.
  • error_outlineCalling OpenAI directly from a React component — the key is downloaded with the JS bundle.
  • error_outlineCommitting `.env` to git instead of `.env.local` — `.env` is often tracked by default.
  • error_outlineUsing the Supabase `service_role` key in a client — it bypasses RLS and reads/writes everything.
  • error_outlineShipping a key in an API route but logging `process.env` on error, leaking into logs.

How to verify the fix worked

  • check_circleOpen DevTools → Sources → search for the key value — must return 0 matches.
  • check_circle`curl https://yoursite.com/ | grep "sk_live"` — returns nothing for Stripe secret keys.
  • check_circleRotate the key after exposure — old keys are compromised forever even if "pulled".
  • check_circleSet up GitGuardian or git-secrets on the repo to catch future leaks pre-commit.

Frequently asked questions

What is the difference between anon and service-role Supabase keys?expand_more
The anon key is public by design and relies on Row Level Security for protection. The service role key bypasses RLS entirely — it must NEVER reach the client.
How do I tell if my key leaked?expand_more
Check your provider dashboard for unusual usage, scan the deployed bundle with `curl URL | grep "sk_"`, and search the public GitHub repo if it was pushed there.
Is the GitHub history a problem if I deleted the key?expand_more
Yes — the key is still in git history and rotation is the only real fix. Use `git filter-repo` to purge history, but always rotate first.

Want all 34 prompts tailored to your Lovable site?

Pantra scans your site in 10 seconds, detects the stack, and generates the exact prompts that apply — only the ones you actually need.

Scan my site

Related Lovable prompts

Security

Enable Supabase Row Level Security on every tableLovable

Prompt to enable RLS on every Supabase table and write sane policies — the #1 security fix for Lovable, Cursor, Bolt, v0, Replit, Windsurf, Claude Code, Base44 apps.

Security

Add security headers (CSP, HSTS, X-Frame, etc.)Lovable

Stack-specific prompt to ship Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy in Lovable, Cursor, Bolt, v0, Replit, Windsurf, Claude Code, Base44.

Security

Force HTTPS and enable HSTSLovable

Prompt to redirect all HTTP to HTTPS and enable HSTS — non-negotiable for modern sites. Works in any stack.

Learn more in the Glossaryarrow_forward