Skip to content
Platform Guide

Cursor Security Checklist

Cursor is the most powerful AI coding environment — it also has the most surface area for security mistakes. Unlike prompt-to-deploy tools, Cursor generates complete codebases, which means more files, more dependencies, and more places for secrets to hide.

Cursor-specific security risks

Cursor apps are typically Next.js or Express full-stack apps. The security risks are more varied than with prompt-to-deploy tools because Cursor writes real code — auth middleware, database queries, payment integrations, third-party API calls.

The most common issues found in Cursor-built apps:

  • Hallucinated npm package names that match real malware (dependency confusion)
  • .env files accidentally committed to git
  • Auth middleware that checks the wrong condition and passes all requests
  • LLM endpoints with no rate limiting (anyone can exhaust your OpenAI credits)
  • SQL queries built with string concatenation (SQL injection)
  • Missing CSRF protection on state-changing API routes

Cursor security checklist

✅ Dependency Safety

  • Run npm audit — fix critical and high vulnerabilities before deploying
  • Check for typosquatted packages: verify every package Cursor added actually exists on npm with the correct author
  • Use npm ls to see the full dependency tree and spot unexpected packages

✅ Secrets Management

  • Run git log --all --full-history -- "*.env" — if your .env was ever committed, rotate everything in it
  • Verify .env is in .gitignore and not tracked
  • Check your deployed JS bundles for sk_live, sk-proj, or any secret that should be server-side only

✅ Authentication Middleware

  • Cursor often generates middleware that looks correct but has a logic bug — test every protected route with curl and no auth header
  • Admin routes (/admin, /api/admin) should return 401/403 with no session, not redirect or return empty data
  • Test IDOR: change a resource ID in the URL — can you access another user's data?

✅ LLM Endpoint Security

  • Add rate limiting to every /api/chat, /api/ai, or /api/generate route
  • Require authentication before allowing LLM calls — unauthenticated access will drain your budget
  • Set maximum token limits per request and per user per day
  • Sanitize user input before including it in system prompts (prompt injection)

✅ Database Security

  • Use parameterised queries or an ORM — never concatenate user input into SQL
  • Database credentials must be server-side only — check no DATABASE_URL is in client bundles
  • For Supabase: enable RLS on every table; use service role key only in server functions

✅ Security Headers

  • Add headers in next.config.mjs: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
  • Cursor rarely generates these — they must be added manually
  • Check your current headers free: run the header check

Scan your Cursor-built app in 25 seconds.

Scan My Cursor App →

Related guides

Cursor Security Checklist — Vezraa