← Scan another app
LaunchCheck
Does your app actually work? Check before you show it to the world.
🔴
Not ready to launch — 3 serious issues to fix first
Scanned demo-app.lovable.app · Jul 6, 2026, 04:19 PM
🔴 2 critical🟠 1 high🟡 2 medium⚪ 2 low

Fix before you launch

🔴 Critical Security

Anyone on the internet can read your users' personal data

One or more of your database tables can be read by anyone — no login needed — and they contain personal information (emails, phone numbers, or payment details). Someone can copy your entire user list in seconds. In many countries this is also a legal violation (GDPR and similar) that you’re responsible for. Fix this before launch. If any of these tables is also writable, anyone could modify or delete your data too — check your INSERT/UPDATE/DELETE policies as well.

Using only the public anon key, these Supabase tables returned data without any login:
• "profiles" ⚠ personal data — readable without login. Columns: id, email, full_name, phone, created_at
• "orders" ⚠ personal data — readable without login. Columns: id, user_id, amount, stripe_customer_id, address

How we know: we queried this table using only your app’s public key — no login — and it returned real rows.

Paste this into Lovable / Bolt to fix it:
In my Supabase project, enable Row Level Security (RLS) on every table — especially profiles and orders. Add policies so each user can only read their own rows (auth.uid() = user_id), and remove any policy allowing anonymous or public reads of personal data. Then show me how to confirm no table is publicly readable.
🔴 Critical Security

OpenAI API key is exposed in your app’s code

An OpenAI API key is embedded in your app’s frontend code, which anyone can read by opening the browser tools. With this key, a stranger could run up your bill or access your account as you. Secret keys must live only on a server, never in the browser.

1 match(es):
• sk-proj-…redacted…a1B2  (in demo-app.lovable.app/…/index.js)

How we know: we found this key in plain text inside your app’s JavaScript, downloadable by anyone.

Paste this into Lovable / Bolt to fix it:
My deployed app at https://demo-app.lovable.app has an OpenAI API key hard-coded in its frontend JavaScript, where anyone can read it. Please remove this key from all frontend code immediately, rotate/revoke the exposed key, and move the secret to a secure backend or serverless function / environment variable so it never ships to the browser.
🟠 High Works?

Your app throws 3 JavaScript errors in the browser

These errors fire in visitors’ browsers while your app runs. Even if the page looks okay, errors like these often mean buttons, forms, or whole features quietly fail for real users.

3 distinct error(s):
• [uncaught exception] TypeError: Cannot read properties of undefined (reading ‘map’)
• [console.error] Failed to load resource: 500
• [uncaught exception] supabaseClient is not defined
Paste this into Lovable / Bolt to fix it:
My deployed app at https://demo-app.lovable.app is throwing JavaScript errors in the browser console. Here are the errors:
- Cannot read properties of undefined (reading ‘map’)
- Failed to load resource: 500
- supabaseClient is not defined

Please find the root cause of each and fix them so the browser console is clean with no errors on load.
🟡 Medium Ready?

Your live page still shows placeholder text

We found leftover placeholder or demo text on your live page. To a visitor this signals the app is unfinished and breaks trust at the exact moment you’re trying to win them over.

• Lorem ipsum filler text: “…hero subtitle Lorem ipsum dolor sit amet…”
• Unfilled "your app name" placeholder: “…© 2026 Your App Name…”
Paste this into Lovable / Bolt to fix it:
Find and replace all placeholder text on https://demo-app.lovable.app — search for "lorem ipsum", default template copy, and example placeholders — with real, final content.
🟡 Medium Works?

2 images on your app are broken

One or more images fail to load, so visitors see an empty box or a broken-image icon instead of a picture. It’s one of the first things people notice and makes the app look unfinished.

Broken image URL(s):
• demo-app.lovable.app/…/hero.png
• demo-app.lovable.app/…/logo.svg
Paste this into Lovable / Bolt to fix it:
My deployed app at https://demo-app.lovable.app has broken images that don’t load:
- /hero.png
- /logo.svg

Please fix each one — correct the image path/URL, re-upload the missing file, or replace it — so every image displays.
Nice to have / Hardening (2)
⚪ Low Security

Your app is missing 2 standard security headers

These are browser-level safety nets that most professional sites set. Missing them isn’t an emergency and won’t stop your launch, but adding them hardens your app against common attacks and is worth doing.

Missing:
• Content-Security-Policy — limits what code/content the page can load
• X-Frame-Options — stops other sites from embedding yours (clickjacking)
Paste this into Lovable / Bolt to fix it:
My deployed app at https://demo-app.lovable.app is missing these HTTP security headers: Content-Security-Policy, X-Frame-Options. Please configure my hosting/server to send them with sensible default values.
⚪ Low Ready?

No analytics detected — you won’t know if anyone visits

We couldn’t find any website analytics on your app. Without it, once you launch you’ll have no idea how many people come, which pages they use, or where they leave.

No known analytics tool (Google Analytics, Plausible, PostHog, etc.) was detected.
Paste this into Lovable / Bolt to fix it:
My deployed app at https://demo-app.lovable.app has no website analytics. Please add a simple, privacy-friendly analytics tool (for example Plausible) so I can see how many people visit.

What we checked

We ran 13 checks — 6 in good shape, 7 need attention.

Built something with AI too? Scan your app free before you launch → launchcheckapp.com