Skip to main content
Stackbastion

The production checklist for Lovable apps: 15 things to fix before real users arrive

7 July 2026· 5 min read · by Stackbastion

You vibe-coded something real with Lovable, Bolt, or Claude Code, and now people are actually using it. That’s a different job than building it. Production doesn’t care how the code was written; it only cares whether the basics hold. This is the same 15-point checklist we run on every free audit, so you can run it yourself first.

We built this list from the same pattern we see over and over in rescue work: a founder ships fast, the app works, and then one small thing (a leaked key, a backup nobody tested, an admin page nobody locked down) turns into the incident that costs a weekend or a customer’s trust. None of these 15 things are exotic. All of them are common, and all of them are fixable in an afternoon if you catch them before someone else does.

Every check below is something you can run against your own app, right now, in a few minutes each. Nothing here needs anyone’s permission but yours.

1. Frontend-bundle secrets

Open your site, view the page source, and list every <script src>. Fetch each one and grep it for key-shaped strings:

curl -s https://your-app.example.com/assets/index.js | grep -Eo "(sk_live_|service_role|SUPABASE_SERVICE|AIza|AKIA)[A-Za-z0-9_-]+"

If anything comes back, a database or payment key is sitting in code anyone can read. Rotate it today.

2. CORS

curl -s -i -H "Origin: https://evil.example" https://your-api.example.com/api/some-endpoint | grep -i "access-control-allow"

If you see Access-Control-Allow-Origin: * alongside Access-Control-Allow-Credentials: true, any website can make authenticated requests to your API on a logged-in user’s behalf.

3. Rate limiting

Send a small burst of requests at your login endpoint (10–15, no more):

for i in $(seq 1 12); do curl -s -o /dev/null -w "%{http_code}\n" -X POST https://your-app.example.com/api/login -d '{}'; done

If all 12 come back normal with no 429 or Retry-After, someone can brute-force logins all day.

4. Debug and stack-trace exposure

Send a deliberately malformed request and read the response body. A stack trace, a file path, or a framework debug page means your errors are handing attackers a map of your backend.

5. Backup existence

This one isn’t a command, it’s a question: does a backup exist, and have you ever actually restored from it? A backup you’ve never restored is a rumor, not a backup. If your platform’s default is a 14-day rolling snapshot you’ve never tested, that’s a warn, not a pass.

6. Authorization and row-level security

Try fetching another user’s record by ID using your app’s own public API key. If it comes back, your database’s row-level security isn’t doing its job, and one user can read another’s data.

7. TLS and HSTS

curl -s -I https://your-app.example.com | grep -i strict-transport-security

No HTTPS at all is a fail. HTTPS with no HSTS header is a warn.

8. Error and PII exposure

Sign up with an email you know is already registered. If the error message echoes that other account’s full email or name back to you, you’re leaking personal data through your own error handling.

9. Dependency CVEs

npm audit --production

Any critical or high-severity finding in a library you actually use in production is a fail.

10. Uptime monitoring

Do you have anything that pages you if the app goes down, or would you hear about it from a user first? No monitoring at all means your users are your monitoring.

11. Admin endpoints

for p in /admin /admin/login /_admin /dashboard/admin; do
  curl -s -o /dev/null -w "%{http_code} $p\n" https://your-app.example.com$p
done

A 200 with real functionality and no login prompt means your admin panel is open to the internet.

12. Client env-var misuse

grep -E "^(VITE_|NEXT_PUBLIC_|REACT_APP_)" .env.example .env 2>/dev/null

Anything with a secret-shaped value behind one of those prefixes is being shipped straight to the browser by design, not by accident, which is worse.

13. Logging and PII retention

Look at a sample of your recent logs. Raw passwords or full payment details, kept forever with no retention policy, is a GDPR problem waiting to surface at the worst time.

14. DNS and mail records

dig TXT yourdomain.com +short | grep spf
dig TXT _dmarc.yourdomain.com +short

No SPF and no DMARC means your domain’s mail can be spoofed, and your password-reset emails might not land at all.

15. Bus factor

If you disappeared for a week, could anyone else deploy a fix, restore a backup, or even get into the servers? “No” is the most common answer we see, and it’s the one check a rescue can’t fix by itself — only an ongoing second person can. Write down, right now, exactly who else has production access and where the credentials live. If the honest answer is “just me, on my laptop,” that’s your real single point of failure, more than any line of code.

Score yourself

Give each check 0 (fail), 1 (warn), or 2 (pass), and add them up out of 30. Below 15 is a real, current risk. 15–23 means the basics mostly hold but real gaps remain. 24 and up is a solid baseline, though check 15 rarely scores a 2 for a solo founder.

Or, we do it for you

If you’d rather have someone else run this list, fix what it finds, and set up backups and monitoring that actually work, get a free 15-point production audit. You get a scored report back in 48 hours, free, yours to keep whatever you decide. If you want it fixed, our rescue services cover exactly these 15 checks at a fixed price.

FAQ

How long does this checklist take to run?

Most of the 15 checks take a few minutes each if you have terminal access to your own app. Checks 5, 10, and 15 are conversations with yourself more than commands.

What if I fail most of these?

That’s normal for an app that grew faster than its ops setup. Fix the frontend-secrets and rate-limiting checks first; they’re both fast and both genuinely dangerous left open.

Is this the same checklist you use for paid audits?

Yes, exactly the same 15 checks, same scoring. The free version is you running it yourself; the paid audit is us running it and writing up the fixes.