Lovable vs Bolt.new vs v0 vs Replit Agent: security comparison.
src/. v0 generates code you paste into your own repo — security is entirely yours. Replit Agent covers more of the stack (backend + DB + auth + deploy in one flow), so the surface is bigger. Each section below gives the specific failure modes, the fix patterns, and the right tool to reach for.
This isn't a "which is best" post. It's "which security posture each one ships by default, and what you have to do extra to use each one safely." The right pick depends on your project type, your team size, and your tolerance for setup work.
The matrix
| Lovable | Bolt.new | v0 by Vercel | Replit Agent | |
|---|---|---|---|---|
| Hosting model | Lovable hosts | You deploy (Netlify/Vercel) | You deploy (your repo) | Replit hosts |
| Code visible to user | Yes (editable) | Yes (WebContainer) | Yes (you paste) | Yes (full IDE) |
| RLS by default (Supabase) | Now scaffolded after Mar 2026 | No | No | No |
| Built-in security scan | Yes (since Mar 2026) | No | No | No |
| Secrets handling | Lovable Secrets system | .env in WebContainer | Your hosting provider's env | Replit Secrets system |
| Sourcemap default | On (Vite default) | On (Vite default) | Depends on your setup | Depends on framework |
| Dev mode in prod risk | Medium | High (WebContainer) | Medium (you control) | High (full stack) |
| CI integration path | Webhook → vibecheck | Vercel/Netlify hook → vibecheck | Your CI | Replit Deployments hook |
| Self-host the app | No | Yes (download) | Yes (always) | Custom domain only |
Lovable
Hosts your app at *.lovable.app. The Lovable IDE generates a React frontend wired to Supabase, deploys it for you, and (since March 2026) runs a built-in security check before letting you publish.
Strengths:
- Lovable's post-March-2026 response was substantive: scaffolded RLS by default, pre-publish security gate, in-product warnings about
NEXT_PUBLIC_-style env var misuse. - Their Secrets system works correctly when used as documented.
- Custom-domain TLS is automatic.
Weaknesses:
- Their built-in scan only covers Lovable apps and only catches a subset of vibecheck's findings (no AI-stack tokens, no source-map detection, no CT-log subdomain enumeration).
- Backwards compatibility: apps generated before March 2026 don't auto-get the new RLS scaffolding. Pre-March-2026 launches still leak.
- Locked-in hosting. To leave Lovable, you have to migrate.
Audit guide: Lovable security checklist — 8 specific things to verify before your launch tweet.
Best for: non-technical founders, designer-developers, and teams that want fast iteration with a hosted backend. Avoid if you need to run on infrastructure you control.
Bolt.new (StackBlitz)
Runs your app in a WebContainer in your browser. The editor lets you preview live; the platform deploys to Netlify or Vercel by default. Bolt is the fastest of the four for full-stack scaffolding because the WebContainer runs your dev server, your database migrations, and your auth flow without leaving the browser.
Strengths:
- Fastest iteration loop. You see the live app while you're building it.
- Code is fully owned by you — Bolt doesn't host the deploy. You can fork the project to GitHub at any time.
- Decent stack flexibility (Vite + React + various DB choices).
Weaknesses:
- The file editor frequently inlines secrets in
src/rather than putting them in.env. We see this on roughly half of Bolt-generated apps in the wild. - Vite's default
build.sourcemapis off in production but the WebContainer dev mode often leaks state into the deploy artifact if not explicitly excluded. - No built-in security scan. No pre-publish gate.
- WebContainer state can include
node_modules,.cache, sometimes.envif not properly.gitignore'd for the deploy.
Audit guide: Bolt.new security checklist — 7 specific failures and how to fix each.
Best for: developers who want full control of the deploy artifact and don't mind a 10-minute audit pass before going public. Avoid if you'd ship without reviewing the source.
v0 by Vercel
Generates Next.js components for you to paste into your own repo. v0 doesn't host your app; it doesn't even compile it. The output is JSX you copy into your app/ directory. The security model is entirely yours.
Strengths:
- Maximum control. The code is in your repo, under your CI, deployed on your hosting.
- Best output quality for Next.js specifically. The components compile, the styles work, the data flows.
- Easy to integrate vibecheck via CI — your existing
.github/workflows/picks it up.
Weaknesses:
- You own the security review. v0's defaults frequently include
NEXT_PUBLIC_on env vars that shouldn't be public, missing auth checks on Server Actions, and hardcoded credentials in JSX defaults. - The "I just paste it" assumption. Most users don't review the diff before merging. If your team treats v0 output like a senior reviewer's PR, you're fine. If you treat it like a junior intern's PR, you'll catch the issues. If you treat it like a Google search result, you'll ship the bug.
- RSC payload leaks: Server Components serialize data to the browser even if the rendered output omits it. v0 doesn't always know this.
Audit guide: v0 by Vercel security checklist — 6 review patterns to catch what v0 ships you.
Best for: teams with disciplined code-review culture. Skip if your workflow is "paste, ship, debug later."
Replit Agent
Replit hosts everything. The Agent scaffolds a full-stack app — auth, database, payments, admin dashboard, deployment — in about ten minutes. The IDE, the runtime, and the deploy are all on Replit's infrastructure.
Strengths:
- Broadest scope. The Agent will wire Stripe, Auth0, Supabase, OpenAI, Resend in one prompt.
- The Replit Secrets system is correct when used as documented.
- "Always-On" deployments and built-in databases mean you can ship a real backend without leaving the IDE.
Weaknesses:
- Bigger surface = more places to misconfigure. Six checks are needed instead of three.
- The Agent occasionally generates dev-only auth bypass routes (
/dev/login,/test-auth) that ship to production. - Replit Secrets stored correctly but referenced wrong: the most common pattern. The Agent generates frontend code that needs a server-side credential, can't access the Secret from the browser, and works around the limitation by inlining a placeholder that ends up being the real key.
- Deploy URL exposes the IDE in some configurations.
Audit guide: Replit Agent security checklist — 6 checks to run before going public.
Best for: end-to-end prototypes, MVP launches, and projects where you want one-stop hosting. Avoid for compliance-heavy contexts where you need to control the deployment substrate.
Decision matrix
Pick by the constraint that matters most for your project:
| Your priority | Pick | Audit time |
|---|---|---|
| Fastest from idea to live URL, non-technical | Lovable | 15 min after launch |
| Fastest with full-stack flexibility | Bolt.new | 20 min before launch |
| Maximum control over deploy + your own CI | v0 | 10 min per v0 paste |
| One-stop integrated stack with auth + DB + Stripe | Replit Agent | 30 min before going public |
| Compliance, audit trail, IP-restricted infra | None of these — use a real framework | — |
One thing all four share
Whichever you pick, run an external scan against the deployed URL before launch. It's the same five seconds regardless of platform. The vibecheck CLI is the same command across all four:
npx @vibecheck/cli "https://your-deploy-url" --exit-on criticalHook it into the platform's deploy hook (Lovable's pre-publish webhook, Vercel/Netlify build step for Bolt + v0, Replit Deployments hook for Replit). It runs once per deploy, fails the deploy on critical findings, and costs nothing.
Inspect your deploy regardless of platform