Security Checklist for Cursor Users
10-Point Security Inspection for Every Cursor Session
Based on 10,000+ Cursor-generated functions reviewed. Print this checklist or integrate it into your workflow.
Checklist Progress
0 of 10 completed
1. Check all user inputs
criticalInput ValidationCursor often suggests direct string concatenation. Look for:
// ❌ Cursor suggestion
const query = `SELECT * FROM users WHERE id = ${userId}`;
// ✅ Secure alternative
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
2. Verify auth patterns
criticalAuthenticationAI mixes authentication methods. Check for:
// ❌ Mixed auth (common Cursor pattern)
if (req.headers.authorization || req.session.user) {
// This creates bypass vulnerability
}
// ✅ Single auth method
if (req.headers.authorization) {
const token = validateJWT(req.headers.authorization);
if (!token.valid) throw new AuthError();
}
3. Scan for hardcoded secrets
criticalSecrets ManagementCursor frequently embeds API keys and passwords:
// ❌ Hardcoded secret
const apiKey = "sk-1234567890abcdef";
// ✅ Environment variable
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error('API_KEY not configured');
4. Review all logging
highData ExposureAI logs sensitive data without realizing:
// ❌ Logs sensitive data
console.log(`User ${email} logged in with password ${password}`);
// ✅ Safe logging
console.log(`User ${email} authentication attempt`);
5. Check error responses
highError HandlingCursor exposes system internals in errors:
// ❌ Exposes internals
catch (err) {
res.status(500).json({ error: err.stack });
}
// ✅ Safe error response
catch (err) {
logger.error(err);
res.status(500).json({ error: 'Internal server error' });
}
6. Audit crypto usage
criticalCryptographyAI suggests outdated or weak crypto:
// ❌ Weak crypto (MD5)
const hash = crypto.createHash('md5').update(password).digest('hex');
// ✅ Strong crypto
const hash = await bcrypt.hash(password, 12);
7. Verify authorization checks
criticalAccess ControlCursor often skips authorization:
// ❌ No authorization check
app.get('/api/user/:id', async (req, res) => {
const user = await getUser(req.params.id);
res.json(user);
});
// ✅ With authorization
app.get('/api/user/:id', authenticate, async (req, res) => {
if (req.user.id !== req.params.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
const user = await getUser(req.params.id);
res.json(user);
});
8. Check suggested packages
mediumDependenciesAI recommends outdated/vulnerable packages:
// ❌ Outdated package with vulnerabilities
npm install request // Deprecated, has vulnerabilities
// ✅ Modern alternative
npm install axios // Actively maintained
9. Review file handling
highFile OperationsPath traversal vulnerabilities are common:
// ❌ Path traversal vulnerability
const file = fs.readFile(`./uploads/${req.body.filename}`);
// ✅ Safe file handling
const filename = path.basename(req.body.filename);
const safePath = path.join('./uploads', filename);
if (!safePath.startsWith(path.resolve('./uploads'))) {
throw new Error('Invalid file path');
}
10. Implement rate limits
mediumRate LimitingCursor never suggests rate limiting:
// ❌ No rate limiting
app.post('/api/login', async (req, res) => {
// Authentication logic
});
// ✅ With rate limiting
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5 // limit each IP to 5 requests per windowMs
});
app.post('/api/login', loginLimiter, async (req, res) => {
// Authentication logic
});
Quick Reference Card
Save this for your daily Cursor sessions:
CURSOR SECURITY CHECKLIST
Before committing any AI-generated code:
□ No string concatenation in queries
□ No mixed authentication methods
□ No hardcoded secrets or API keys
□ No sensitive data in logs
□ No system internals in errors
□ No MD5 or weak crypto
□ Authorization checks present
□ Dependencies are current
□ File paths are validated
□ Rate limiting implemented
Integrate Into Your Workflow
Git Pre-commit Hook
#!/bin/bash
# .git/hooks/pre-commit
# Check for Cursor-generated code
if git diff --cached --name-only | xargs grep -l "@cursor-generated" > /dev/null; then
echo "⚠️ Cursor-generated code detected!"
echo "Run security checklist before committing."
echo "Mark reviewed with: @security-reviewed"
exit 1
fi
VS Code Task
{
"version": "2.0.0",
"tasks": [
{
"label": "Cursor Security Check",
"type": "shell",
"command": "shamans-cli",
"args": ["check", "--cursor", "${file}"],
"problemMatcher": "$tsc"
}
]
}
Want Automated Checking?
Our founders are manually reviewing Cursor code for beta partners. Get expert eyes on your AI-generated code.
Check Your Eligibility