HOW TO SECURE CURSOR: 12-STEP HARDENING GUIDE

How to secure Cursor in 12 steps

The work splits into three layers: what Cursor sees (codebase indexing, MCP, extensions), what Cursor’s output ships (review gates, branch protection, CI), and what reaches production (dynamic scan on deploy). Skip any layer and the others can’t compensate.

Layer 1 — Lock down what Cursor sees (5-minute setup)

Step 1. Create a .cursorignore for every repo

Cursor’s codebase indexer ingests every file in the working tree by default — including .env, secrets in config, infrastructure-as-code with embedded credentials, and customer-data fixtures. Without an ignore file, all of this gets sent to the AI model on every completion.

Create .cursorignore at the repo root:

# Secrets
.env
.env.*
*.pem
*.key
*.p12
*.pfx
secrets/
config/credentials.json
config/production.json
config/staging.json

# Infrastructure
terraform.tfvars
*.tfstate
*.tfstate.backup

# Customer data fixtures
fixtures/customers.json
fixtures/users.json
seeds/production.sql

# Build artifacts (also reduces noise)
node_modules/
.next/
dist/
build/

Verify in Cursor: open the file, confirm Cursor shows “Ignored” status.

Step 2. Enable Privacy Mode

Settings → General → Privacy Mode → enabled.

Privacy Mode prevents Cursor from retaining code or training on it. Code still transits to the AI model for completions, but it isn’t stored server-side. For sensitive codebases, this is non-negotiable.

For Business plan: enforce at org level — Admin console → Policies → “Require Privacy Mode” → enable.

Step 3. Audit MCP servers

Open ~/.cursor/mcp.json (macOS/Linux) or %APPDATA%\Cursor\mcp.json (Windows). List of every MCP server enabled. Each runs with full user permissions on your machine.

For each entry: confirm you installed it, confirm you still use it, confirm the source publisher is trusted. Remove anything you can’t account for.

Step 4. Audit installed extensions

Cursor inherits VS Code’s extension model — every extension runs with full IDE trust. Run extension audit:

Cmd/Ctrl+Shift+P → "Extensions: Show Installed Extensions"

Review the list. Remove unused. Prefer verified-publisher extensions for anything that touches your codebase (formatters, linters, AI tools).

Layer 2 — Gate what Cursor’s output ships (workflow controls)

Step 5. Branch protection on main

Cursor’s Composer and Agent modes can land multi-file changes quickly. Without branch protection, those changes can reach main (and CI auto-deploy) without human review.

GitHub: Settings → Branches → main → Require pull request before merging → Require approvals (at least 1, ideally code owners).

GitLab equivalent: Settings → Repository → Push Rules + Protected Branches.

Step 6. Required PR review on AI-generated commits

Configure a PR template that asks contributors to disclose AI-generated portions. Code reviewers focus on those sections especially.

.github/pull_request_template.md:

## AI-Generated Code

- [ ] This PR contains code generated by Cursor / Claude Code / other AI tools
- [ ] AI-generated portions noted in commit messages
- [ ] Security-sensitive sections reviewed (auth, payments, data access)

## Security checklist

- [ ] No new hardcoded secrets
- [ ] Input validation on every new endpoint
- [ ] Authorization (not just authentication) on resource access
- [ ] Error handlers don't expose stack traces

Step 7. CI security gate

Add a security scan to CI that blocks merge on critical findings. Static scan + dynamic scan if your deploy preview supports it.

GitHub Actions example:

- name: Security scan
  run: |
    # Static: secret detection
    npx gitleaks detect --source . --report-format sarif
    # Dependency audit
    npm audit --audit-level=high
    # Custom rules for AI-generation patterns
    npx semgrep --config=auto --error

For dynamic scan against the deployed preview, see Vibe Code Scanner — runs as a CI step against your preview URL.

Step 8. Disable Composer auto-accept

Composer can write multiple files at once. The diff viewer is correct but tedious; teams accept changes without reading every file.

Settings → Composer → require explicit accept per file (verify exact setting name in your version). Slows the workflow; catches the diff that nobody would have read.

Step 9. Run Agent mode in feature branches only

Agent mode runs autonomously and can commit. Configure it to operate only in feature branches, never directly on main. Combined with step 5, Agent commits land in PRs that require review.

Layer 3 — Scan what reaches production

Step 10. Dynamic security scan on every deploy

Static scans catch some patterns; dynamic scans (against the running app) catch the rest — the BOLA / IDOR / RLS / CORS issues that only surface at runtime.

Add a dynamic scan step to your deploy pipeline:

- name: Dynamic security scan
  run: |
    curl -X POST https://app.vibe-eval.com/api/scan \
      -H "Authorization: Bearer ${{ secrets.VIBEEVAL_TOKEN }}" \
      -d '{"url": "${{ env.PREVIEW_URL }}"}' \
      --fail

Block deploy on critical findings. Most teams set “block on Critical, alert on High.”

Step 11. Quarterly .cursorignore review

Codebases grow. New secret-bearing files get added. The .cursorignore you wrote in step 1 needs to grow too.

Quarterly: git ls-files | grep -iE 'secret|credential|key|password|env' to find files you might have missed.

Step 12. Monthly MCP and extension audit

Repeat steps 3 and 4 monthly. New MCP servers get installed during exploration; old extensions accumulate. Audit, prune, lock down.

The 12-step setup as a single command

For a fresh repo, the layer-1 setup is one block of work:

# Create .cursorignore from template
cat > .cursorignore <<'EOF'
.env
.env.*
*.pem
*.key
secrets/
config/credentials.json
terraform.tfvars
*.tfstate
fixtures/customers.json
EOF

# Add PR template
mkdir -p .github
# (copy the template from step 6)

# Enable git hook for secret scanning
npm install --save-dev gitleaks
echo 'npx gitleaks protect --staged' >> .husky/pre-commit

Common mistakes when securing Cursor

Skipping .cursorignore because “I’ll remember not to share secrets” — Cursor’s codebase indexing happens automatically, on every keystroke. Manual remembering doesn’t apply.

Treating Privacy Mode as the only control — Privacy Mode only addresses retention. The model still sees the code; the security of the code Cursor generates is separate.

Trusting the AI to add auth checks because the prompt mentioned auth — AI generates what gets prompted, often missing the secondary check (auth without authorization). Required PR review is the gate.

Believing static scan in CI is enough — Static analysis catches some patterns; dynamic scan against the deployed app catches the rest. Use both.

Configuring policies but not enforcing them — Business plan policies bind only when SSO is required; without enforcement, individual users can opt out.

Related resources

• Is Cursor Safe? — IDE-level audit
• Cursor Security Risks — 12 patterns in Cursor-generated code
• Cursor Enterprise Security — Business plan controls
• Vibe Coding Vulnerabilities — full vulnerability taxonomy
• Vibe Code Scanner — automated dynamic scan
• Token Leak Checker — finds secrets in deployed bundles
• Package Hallucination Scanner — finds AI-invented dependencies
• OWASP Top 10 for AI Code