← Back to Resources

Security Checklist for Cursor Users

8 min readInteractive checklistLast updated: March 2024

10-Point Security Inspection for Every Cursor Session

Based on 10,000+ Cursor-generated functions reviewed. Print this checklist or integrate it into your workflow.

Checklist Progress

0 of 10 completed

1. Check all user inputs

criticalInput Validation

Cursor often suggests direct string concatenation. Look for:

// ❌ Cursor suggestion
const query = `SELECT * FROM users WHERE id = ${userId}`;

// ✅ Secure alternative
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

2. Verify auth patterns

criticalAuthentication

AI mixes authentication methods. Check for:

// ❌ Mixed auth (common Cursor pattern)
if (req.headers.authorization || req.session.user) {
  // This creates bypass vulnerability
}

// ✅ Single auth method
if (req.headers.authorization) {
  const token = validateJWT(req.headers.authorization);
  if (!token.valid) throw new AuthError();
}

3. Scan for hardcoded secrets

criticalSecrets Management

Cursor frequently embeds API keys and passwords:

// ❌ Hardcoded secret
const apiKey = "sk-1234567890abcdef";

// ✅ Environment variable
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error('API_KEY not configured');

4. Review all logging

highData Exposure

AI logs sensitive data without realizing:

// ❌ Logs sensitive data
console.log(`User ${email} logged in with password ${password}`);

// ✅ Safe logging
console.log(`User ${email} authentication attempt`);

5. Check error responses

highError Handling

Cursor exposes system internals in errors:

// ❌ Exposes internals
catch (err) {
  res.status(500).json({ error: err.stack });
}

// ✅ Safe error response
catch (err) {
  logger.error(err);
  res.status(500).json({ error: 'Internal server error' });
}

6. Audit crypto usage

criticalCryptography

AI suggests outdated or weak crypto:

// ❌ Weak crypto (MD5)
const hash = crypto.createHash('md5').update(password).digest('hex');

// ✅ Strong crypto
const hash = await bcrypt.hash(password, 12);

7. Verify authorization checks

criticalAccess Control

Cursor often skips authorization:

// ❌ No authorization check
app.get('/api/user/:id', async (req, res) => {
  const user = await getUser(req.params.id);
  res.json(user);
});

// ✅ With authorization
app.get('/api/user/:id', authenticate, async (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  const user = await getUser(req.params.id);
  res.json(user);
});

8. Check suggested packages

mediumDependencies

AI recommends outdated/vulnerable packages:

// ❌ Outdated package with vulnerabilities
npm install request  // Deprecated, has vulnerabilities

// ✅ Modern alternative
npm install axios  // Actively maintained

9. Review file handling

highFile Operations

Path traversal vulnerabilities are common:

// ❌ Path traversal vulnerability
const file = fs.readFile(`./uploads/${req.body.filename}`);

// ✅ Safe file handling
const filename = path.basename(req.body.filename);
const safePath = path.join('./uploads', filename);
if (!safePath.startsWith(path.resolve('./uploads'))) {
  throw new Error('Invalid file path');
}

10. Implement rate limits

mediumRate Limiting

Cursor never suggests rate limiting:

// ❌ No rate limiting
app.post('/api/login', async (req, res) => {
  // Authentication logic
});

// ✅ With rate limiting
const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5 // limit each IP to 5 requests per windowMs
});

app.post('/api/login', loginLimiter, async (req, res) => {
  // Authentication logic
});

Quick Reference Card

Save this for your daily Cursor sessions:

CURSOR SECURITY CHECKLIST

Before committing any AI-generated code:

□ No string concatenation in queries

□ No mixed authentication methods

□ No hardcoded secrets or API keys

□ No sensitive data in logs

□ No system internals in errors

□ No MD5 or weak crypto

□ Authorization checks present

□ Dependencies are current

□ File paths are validated

□ Rate limiting implemented

Integrate Into Your Workflow

Git Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

# Check for Cursor-generated code
if git diff --cached --name-only | xargs grep -l "@cursor-generated" > /dev/null; then
  echo "⚠️  Cursor-generated code detected!"
  echo "Run security checklist before committing."
  echo "Mark reviewed with: @security-reviewed"
  exit 1
fi

VS Code Task

{
  "version": "2.0.0",
  "tasks": [
    {
      "label": "Cursor Security Check",
      "type": "shell",
      "command": "shamans-cli",
      "args": ["check", "--cursor", "${file}"],
      "problemMatcher": "$tsc"
    }
  ]
}

Want Automated Checking?

Our founders are manually reviewing Cursor code for beta partners. Get expert eyes on your AI-generated code.

Check Your Eligibility