Platform Guide
Cursor Security Checklist
Cursor is the most powerful AI coding environment — it also has the most surface area for security mistakes. Unlike prompt-to-deploy tools, Cursor generates complete codebases, which means more files, more dependencies, and more places for secrets to hide.
Cursor-specific security risks
Cursor apps are typically Next.js or Express full-stack apps. The security risks are more varied than with prompt-to-deploy tools because Cursor writes real code — auth middleware, database queries, payment integrations, third-party API calls.
The most common issues found in Cursor-built apps:
- Hallucinated npm package names that match real malware (dependency confusion)
.envfiles accidentally committed to git- Auth middleware that checks the wrong condition and passes all requests
- LLM endpoints with no rate limiting (anyone can exhaust your OpenAI credits)
- SQL queries built with string concatenation (SQL injection)
- Missing CSRF protection on state-changing API routes
Cursor security checklist
✅ Dependency Safety
- Run
npm audit— fix critical and high vulnerabilities before deploying - Check for typosquatted packages: verify every package Cursor added actually exists on npm with the correct author
- Use
npm lsto see the full dependency tree and spot unexpected packages
✅ Secrets Management
- Run
git log --all --full-history -- "*.env"— if your.envwas ever committed, rotate everything in it - Verify
.envis in.gitignoreand not tracked - Check your deployed JS bundles for
sk_live,sk-proj, or any secret that should be server-side only
✅ Authentication Middleware
- Cursor often generates middleware that looks correct but has a logic bug — test every protected route with curl and no auth header
- Admin routes (
/admin,/api/admin) should return 401/403 with no session, not redirect or return empty data - Test IDOR: change a resource ID in the URL — can you access another user's data?
✅ LLM Endpoint Security
- Add rate limiting to every
/api/chat,/api/ai, or/api/generateroute - Require authentication before allowing LLM calls — unauthenticated access will drain your budget
- Set maximum token limits per request and per user per day
- Sanitize user input before including it in system prompts (prompt injection)
✅ Database Security
- Use parameterised queries or an ORM — never concatenate user input into SQL
- Database credentials must be server-side only — check no
DATABASE_URLis in client bundles - For Supabase: enable RLS on every table; use service role key only in server functions
✅ Security Headers
- Add headers in
next.config.mjs: CSP, HSTS, X-Frame-Options, X-Content-Type-Options - Cursor rarely generates these — they must be added manually
- Check your current headers free: run the header check
Scan your Cursor-built app in 25 seconds.
Scan My Cursor App →