How to build AI tools securely (you’re probably doing it wrong)
*1 Lock down API keys
- Store secrets in Vault (Supabase → Database → Vault) so keys never touch the client.
- For high‑value credentials like OpenAI or Stripe, route calls through a server function; never ship them in JavaScript.
- Rotate keys and keep them out of repos or logs—stick to environment variables backed by encrypted storage.
*2 Add your own rate limits
- Supabase Auth throttles login endpoints by default, but Edge Functions & custom APIs aren’t rate‑limited out of the box.
- Drop a Redis‑based limiter in middleware, or prompt Lovable to scaffold limits on every endpoint.
*3 Harden against DDoS
- Netlify’s free tier offers only basic protection; large floods still hit your origin and cost money.
- Use hosts with built‑in firewalls like Cloudflare “Under Attack” mode or Vercel Firewall DDoS mitigation.
*4 Always enable Row‑Level Security (RLS)
- Supabase tables in the public schema are readable by any valid API key until you flip the RLS switch.
- Turn it on via Lovable’s UI or directly in Supabase Dashboard, then write policies that allow only the rows a user owns.
*5 Run a quick security audit before shipping
- Open DevTools → Network.
- Hunt for hard‑coded keys or tokens in request headers (a common slipup).
- Verify responses aren’t over‑fetching (e.g., returning all users).
- Confirm RLS denies unauthorized requests—even if the client tamps with IDs.
*6 Bonus: OAuth beats raw API keys for user auth
- OAuth tokens are short‑lived and scoped, reducing blast radius compared with long‑lived keys.
- Keys are still fine for server‑to‑server calls—just keep them server‑side and rotate often.
Key takeaways
- Vault + server functions keep secrets off the frontend.
- Manual rate limits & DDoS firewalls save you from surprise bills.
- RLS is mandatory—tables are public until you say otherwise.
- Audit in DevTools; if you can see a key, so can attackers.
- OAuth for users, keys for servers gives you the best of both worlds.
Ship fast, but ship securely—your future self (and your users) will thank you.
Keep Vibing!