Is v0 safe?
Is a v0-built app safe to ship?
v0 is very good at the frontend, that is what it is built for. The security gap does not live in the component code, it lives in whatever backend you wire that component to, and how carefully that wiring checks the request.
What v0 actually does well
Generates clean, close-to-hand-written React and Next.js components fast.
Output is genuinely easy to keep editing afterward, not throwaway scaffolding.
Integrates naturally with a Vercel deploy pipeline.
The gap
The gap: what the generated component is calling
Because v0 focuses on the UI layer, the risk shows up one step downstream. A generated component that fetches directly from Supabase carries the same RLS-off risk as any other Supabase-backed app. A component that calls a Next.js API route carries risk if that route never checks the session before running its query, since the route itself is reachable by anyone who sends a request to it directly, not only from the button in your UI.
Check v0 for this yourself right now
About 60 seconds, works whether your backend is Supabase or a custom API route.
- 01
Open your live app, open devtools, go to the Network tab, and reload the page or trigger the feature you want to check.
- 02
Find the request that loads the data, note whether it goes to a supabase.co domain or to your own /api/ route.
- 03
For Supabase: copy the apikey header and run curl "https://<project>.supabase.co/rest/v1/<table>?select=*&limit=1" -H "apikey: <anon-key>" with no session.
- 04
For a custom API route: copy the request as curl from devtools, then run it again from a terminal with no cookies or auth header attached, and see if it still returns data.
Rather not do this by hand? The free Leak Check runs the anon-key probe and a client bundle scan against your live URL and gives you results in under a minute.
Run the free Leak Check →Where the numbers come from
We scanned 66 live apps built with Lovable, Bolt, Cursor, base44, and Tempo. 41% of the Supabase-backed apps had at least one table anyone could read with the public anon key. The full methodology and findings are in the data report.
Read the data report →