HackNope is a security scanning service designed for non-technical founders who build apps with AI coding tools like Cursor, Claude Code, Lovable, and Bolt. We scan your app for vulnerabilities and explain issues in plain English with ready-to-use AI fix prompts.

HackNope is built for indie hackers, solo founders, and non-technical creators who use vibe-coding tools to build production apps. If you've built an app with Lovable, Bolt, Base44, Cursor, or Claude Code and want to make sure it's secure, HackNope is for you.

What does HackNope scan for?

HackNope performs external scans checking security headers, TLS configuration, exposed endpoints, common misconfigurations, and known vulnerabilities. Internal scans (available on Fortress tier) also check authenticated endpoints, GitHub repos, and database configurations.

How much does HackNope cost?

HackNope offers three tiers: Scout (free, 3 scans/month), Guardian ($19/month, 100 scans with weekly monitoring), and Fortress ($49/month + usage, 300 scans with daily monitoring and internal scans).

What are AI fix prompts?

AI fix prompts are ready-to-use instructions that you can copy and paste into your AI coding assistant (like Cursor or Claude Code) to automatically fix security vulnerabilities. No security expertise required.

Is my app data safe with HackNope?

Yes. HackNope only performs external scans on publicly accessible endpoints by default. We never store your source code, and all scan data is encrypted. Internal scans require explicit authorization and are performed in isolated environments.

What is Row Level Security (RLS)?

RLS is a feature that lets you control which rows in a database table each user can see, edit, or delete. Think of it like having a bouncer at every table who checks IDs before letting anyone touch the data.

Is RLS enabled by default in Supabase?

No! RLS is disabled by default on new tables. This means anyone with your Supabase URL can potentially read all data in those tables. You must explicitly enable RLS and create policies.

Will RLS slow down my app?

Properly configured RLS has minimal performance impact. Supabase is optimized for RLS, and policies are evaluated at the database level which is very efficient.

Supabase Row Level Security: The Complete Guide for Lovable Apps

If you're building with Lovable and Supabase, Row Level Security (RLS) is the single most important security feature you need to understand. Get it wrong, and anyone can read your entire database. Get it right, and your users' data is locked down tight.

Why RLS Matters

Critical Risk

Immediate action required

Without RLS, your Supabase database is essentially public. Anyone who knows your project URL (which is in your frontend code) can query any table and read any data.

Here's what a hacker sees when they find an app without RLS:

// This works if RLS is disabled
const { data } = await supabase
  .from('users')
  .select('*')
 
// Returns ALL users, including emails, passwords, everything

Scary, right?

How RLS Works

Think of RLS as a bouncer at every table. Before any read or write happens, the bouncer checks:

Who is asking? (authenticated user, anonymous, or service role)
What are they trying to do? (SELECT, INSERT, UPDATE, DELETE)
Does it match our policy? (the rules you define)

If all checks pass, the operation proceeds. If not, it's blocked.

Step 1: Enable RLS on All Tables

Heads up

Never skip this step! Even if you don't have policies yet, enabling RLS blocks all access until you explicitly allow it. This is the safe default.

Go to your Supabase dashboard, then for each table:

Click on the table name
Go to "Policies" tab
Click "Enable RLS"

Or run this SQL for all your tables:

ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE posts ENABLE ROW LEVEL SECURITY;
ALTER TABLE comments ENABLE ROW LEVEL SECURITY;
-- Add all your tables here

Step 2: Create Basic Policies

Here are the most common policies you'll need:

Users Can Only See Their Own Data

CREATE POLICY "Users can view own data"
ON users
FOR SELECT
USING (auth.uid() = id);

Users Can Only Edit Their Own Data

CREATE POLICY "Users can update own data"
ON users
FOR UPDATE
USING (auth.uid() = id);

Anyone Can Read Public Content

CREATE POLICY "Public posts are visible to everyone"
ON posts
FOR SELECT
USING (is_public = true);
 
CREATE POLICY "Authors can see their own drafts"
ON posts
FOR SELECT
USING (auth.uid() = author_id);

Step 3: Test Your Policies

Pro tip

Always test RLS policies from the browser, not the Supabase dashboard. The dashboard uses the service role which bypasses RLS.

Create a test page in your app that tries to:

Read data that belongs to another user (should fail)
Update data that belongs to another user (should fail)
Read your own data (should work)
Update your own data (should work)

Common Mistakes

Mistake 1: Forgetting to Enable RLS

New tables have RLS disabled by default. Always enable it immediately after creating a table.

Mistake 2: Using Service Role in Frontend

High Risk

Fix as soon as possible

The service role key bypasses all RLS policies. Never use it in frontend code!

Use the anon key for frontend operations:

// GOOD - uses anon key, respects RLS
const supabase = createClient(url, ANON_KEY)
 
// BAD - bypasses RLS, exposes all data
const supabase = createClient(url, SERVICE_ROLE_KEY)

Mistake 3: Overly Permissive Policies

Don't create a policy that allows everything:

-- DON'T DO THIS!
CREATE POLICY "Allow all"
ON users
FOR ALL
USING (true);

RLS Cheat Sheet

I want to...	Policy Type	USING clause
Let users see their own data	SELECT	`auth.uid() = user_id`
Let users edit their own data	UPDATE	`auth.uid() = user_id`
Let anyone see public content	SELECT	`is_public = true`
Let admins see everything	SELECT	`auth.uid() IN (SELECT id FROM admins)`

Next Steps

Enable RLS on all your tables right now
Create policies for each table
Test from the browser (not the dashboard)
Scan with HackNope to catch any misconfigurations

AI Fix Prompt

Copy to Cursor, Claude Code, or Copilot

Review my Supabase schema and create RLS policies for all tables. Each user should only be able to read and modify their own data. Public content should be readable by everyone. Generate the SQL and explain what each policy does.

Need help? HackNope automatically detects RLS misconfigurations and generates the exact SQL policies you need.

Frequently Asked Questions

Written by

HackNope Team

The HackNope team helps non-technical founders secure their vibe-coded apps.

#supabase#rls#lovable#database#security-basics#postgresql#data-protection

Illustration of a protective security shield guarding a no-code web application - showing how HackNope protects Lovable, Bolt, and Base44 apps from hackers

Guides·4 min read

No-Code Security 101: A Plain English Guide

Everything non-technical founders need to know about securing their Lovable, Bolt, or Base44 app. No jargon, just actionable advice.

Dec 29, 2025

Frequently Asked Questions

HackNope Team

Related Articles

No-Code Security 101: A Plain English Guide