[{"data":1,"prerenderedAt":358},["ShallowReactive",2],{"blog-blueprints/cursor-prisma-vercel":3},{"id":4,"title":5,"body":6,"category":337,"date":338,"dateModified":339,"description":340,"draft":341,"extension":342,"faq":343,"featured":341,"headerVariant":344,"image":343,"keywords":343,"meta":345,"navigation":346,"ogDescription":347,"ogTitle":343,"path":348,"readTime":349,"schemaOrg":350,"schemaType":351,"seo":352,"sitemap":353,"stem":354,"tags":355,"twitterCard":356,"__hash__":357},"blog/blog/blueprints/cursor-prisma-vercel.md","Cursor + Prisma + Vercel Security Blueprint",{"type":7,"value":8,"toc":321},"minimark",[9,20,24,35,40,50,55,58,114,118,122,125,135,139,145,154,163,179,183,192,201,205,208,217,221,226,229,232,235,238,241,244,247,250,253,271,290,309],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Cursor + Prisma + Vercel stack,"," you need to: (1) store your DATABASE_URL in Vercel environment variables (never in code), (2) use Prisma's standard query methods which automatically prevent SQL injection, (3) avoid string interpolation in $queryRaw calls or use proper parameterization, (4) implement authorization checks in all API routes since Prisma lacks built-in RLS, and (5) create a .cursorignore file to prevent AI from accessing your .env files. This blueprint covers Prisma's security benefits, raw query dangers, and authorization patterns.",[21,22],"blueprint-meta",{"time":23},"2-3 hours",[25,26,27],"tldr",{},[13,28,29,30,34],{},"Prisma provides type-safe database access and prevents most SQL injection attacks by default. Key security tasks: store DATABASE_URL in Vercel environment variables, use Prisma's query methods (not raw SQL when possible), implement authorization checks in your API routes, and be careful with ",[31,32,33],"code",{},"$queryRaw"," which bypasses Prisma's protections.",[36,37,39],"h3",{"id":38},"platform-guides-checklists","Platform Guides & Checklists",[41,42,47],"pre",{"className":43,"code":45,"language":46},[44],"language-text","      Cursor Security Guide\n\n\n\n      Prisma Security Guide\n\n\n\n      Vercel Security Guide\n\n\n\n      Pre-Launch Checklist\n","text",[31,48,45],{"__ignoreMap":49},"",[51,52,54],"h2",{"id":53},"stack-overview","Stack Overview",[13,56,57],{},"Prisma is a type-safe ORM that generates a database client from your schema. This stack is excellent for type safety and developer experience:",[59,60,61,77],"table",{},[62,63,64],"thead",{},[65,66,67,71,74],"tr",{},[68,69,70],"th",{},"Component",[68,72,73],{},"Role",[68,75,76],{},"Security Benefit",[78,79,80,92,103],"tbody",{},[65,81,82,86,89],{},[83,84,85],"td",{},"Cursor",[83,87,88],{},"AI code editor",[83,90,91],{},"Type hints help catch errors",[65,93,94,97,100],{},[83,95,96],{},"Prisma",[83,98,99],{},"Database ORM",[83,101,102],{},"Type-safe queries prevent injection",[65,104,105,108,111],{},[83,106,107],{},"Vercel",[83,109,110],{},"Hosting",[83,112,113],{},"Secure env vars, serverless functions",[51,115,117],{"id":116},"part-1-prisma-security-benefits-prisma","Part 1: Prisma Security Benefits Prisma",[36,119,121],{"id":120},"built-in-sql-injection-protection-prisma","Built-in SQL Injection Protection Prisma",[13,123,124],{},"Prisma's query methods automatically parameterize inputs:",[126,127,129],"code-block",{"label":128},"Safe Prisma query (injection protected)",[41,130,133],{"className":131,"code":132,"language":46},[44],"// This is safe - Prisma parameterizes the input\nconst user = await prisma.user.findUnique({\n  where: { email: userInput }  // Safe even if userInput is malicious\n});\n\n// Also safe\nconst posts = await prisma.post.findMany({\n  where: {\n    title: { contains: searchQuery },  // Parameterized\n    authorId: userId  // Parameterized\n  }\n});\n",[31,134,132],{"__ignoreMap":49},[36,136,138],{"id":137},"danger-raw-queries-prisma-cursor","Danger: Raw Queries Prisma Cursor",[13,140,141,142,144],{},"The main injection risk in Prisma is using ",[31,143,33],{}," incorrectly:",[126,146,148],{"label":147},"DANGEROUS: String interpolation in raw query",[41,149,152],{"className":150,"code":151,"language":46},[44],"// NEVER do this - SQL injection vulnerability\nconst users = await prisma.$queryRaw`\n  SELECT * FROM users WHERE name = '${userInput}'\n`;\n\n// This bypasses Prisma's protection!\n",[31,153,151],{"__ignoreMap":49},[126,155,157],{"label":156},"Safe raw query with parameters",[41,158,161],{"className":159,"code":160,"language":46},[44],"// Safe: Use template literal without quotes\nconst users = await prisma.$queryRaw`\n  SELECT * FROM users WHERE name = ${userInput}\n`;\n// Note: Template literal without quotes around ${userInput}\n",[31,162,160],{"__ignoreMap":49},[164,165,166],"warning-box",{},[13,167,168,171,172,174,175,178],{},[16,169,170],{},"AI code risk:"," Cursor might generate raw SQL queries for complex operations. Always review any ",[31,173,33],{}," or ",[31,176,177],{},"$executeRaw"," usage for proper parameterization.",[51,180,182],{"id":181},"part-2-database-connection-security-prisma-vercel","Part 2: Database Connection Security Prisma Vercel",[126,184,186],{"label":185},".env (local development only)",[41,187,190],{"className":188,"code":189,"language":46},[44],"# Never commit this file\nDATABASE_URL=\"postgresql://user:password@host:5432/database?sslmode=require\"\n\n# For connection pooling with Prisma (recommended for serverless)\nDATABASE_URL=\"postgresql://user:password@host:5432/database?pgbouncer=true\"\nDIRECT_URL=\"postgresql://user:password@host:5432/database\"\n",[31,191,189],{"__ignoreMap":49},[126,193,195],{"label":194},"prisma/schema.prisma",[41,196,199],{"className":197,"code":198,"language":46},[44],"datasource db {\n  provider  = \"postgresql\"\n  url       = env(\"DATABASE_URL\")\n  directUrl = env(\"DIRECT_URL\")  // For migrations\n}\n",[31,200,198],{"__ignoreMap":49},[51,202,204],{"id":203},"part-3-authorization-patterns-vercel","Part 3: Authorization Patterns Vercel",[13,206,207],{},"Prisma doesn't have built-in row-level security. Implement authorization in your application:",[126,209,211],{"label":210},"Authorization check pattern",[41,212,215],{"className":213,"code":214,"language":46},[44],"// lib/auth.ts\nexport async function getAuthorizedPost(postId: string, userId: string) {\n  const post = await prisma.post.findUnique({\n    where: { id: postId }\n  });\n\n  if (!post) {\n    throw new Error('Post not found');\n  }\n\n  if (post.authorId !== userId) {\n    throw new Error('Not authorized');\n  }\n\n  return post;\n}\n\n// In API route\nexport async function PUT(request: Request) {\n  const session = await getSession();\n  if (!session) {\n    return Response.json({ error: 'Unauthorized' }, { status: 401 });\n  }\n\n  const { id, title, content } = await request.json();\n  await getAuthorizedPost(id, session.user.id);\n\n  const updated = await prisma.post.update({\n    where: { id },\n    data: { title, content }\n  });\n\n  return Response.json(updated);\n}\n",[31,216,214],{"__ignoreMap":49},[51,218,220],{"id":219},"security-checklist","Security Checklist",[222,223,225],"h4",{"id":224},"pre-launch-checklist-for-cursor-prisma-vercel","Pre-Launch Checklist for Cursor + Prisma + Vercel",[13,227,228],{},"DATABASE_URL in Vercel env vars (not in code)",[13,230,231],{},".env files in .gitignore",[13,233,234],{},"No string interpolation in $queryRaw",[13,236,237],{},"Authorization checks on all protected routes",[13,239,240],{},"Sensitive fields excluded from responses",[13,242,243],{},"Input validation with Zod or similar",[13,245,246],{},"Connection pooling configured for serverless",[13,248,249],{},"SSL required for database connection",[13,251,252],{},".cursorignore excludes .env files",[254,255,256,260],"stack-comparison",{},[36,257,259],{"id":258},"alternative-stack-configurations","Alternative Stack Configurations",[254,261,262,265],{},[13,263,264],{},"Cursor + Supabase + Vercel\nSwap Prisma for Supabase client with built-in RLS. Different ORM approach with PostgreSQL security.",[41,266,269],{"className":267,"code":268,"language":46},[44],"      Cursor + PlanetScale + Vercel\n      Prisma with PlanetScale MySQL. Same ORM security, different database backend.\n\n\n      T3 Stack Security\n      Full T3 stack with Prisma, tRPC, and Next.js. Type-safe end-to-end security.\n",[31,270,268],{"__ignoreMap":49},[272,273,274,284],"faq-section",{},[275,276,278],"faq-item",{"question":277},"Is Prisma safe from SQL injection?",[13,279,280,281,283],{},"Yes, when using Prisma's standard query methods. All inputs are automatically parameterized. The only risk is using ",[31,282,33],{}," with string interpolation, which bypasses Prisma's protections.",[275,285,287],{"question":286},"Do I need connection pooling on Vercel?",[13,288,289],{},"Yes, strongly recommended. Serverless functions can create many database connections. Use Prisma's built-in connection pooling or services like PgBouncer to prevent connection exhaustion.",[291,292,293,299,304],"related-articles",{},[294,295],"related-card",{"description":296,"href":297,"title":298},"PlanetScale configuration","/blog/blueprints/nextjs-prisma-planetscale","Next.js + Prisma + PlanetScale",[294,300],{"description":301,"href":302,"title":303},"Deep dive into Prisma","/blog/guides/prisma","Prisma Security Guide",[294,305],{"description":306,"href":307,"title":308},"Full T3 stack guide","/blog/blueprints/t3-stack","T3 Stack Security",[310,311,314,318],"cta-box",{"href":312,"label":313},"/","Start Free Scan",[51,315,317],{"id":316},"using-prisma-with-cursor","Using Prisma with Cursor?",[13,319,320],{},"Scan your app for security issues in AI-generated code.",{"title":49,"searchDepth":322,"depth":322,"links":323},2,[324,326,327,331,332,333,336],{"id":38,"depth":325,"text":39},3,{"id":53,"depth":322,"text":54},{"id":116,"depth":322,"text":117,"children":328},[329,330],{"id":120,"depth":325,"text":121},{"id":137,"depth":325,"text":138},{"id":181,"depth":322,"text":182},{"id":203,"depth":322,"text":204},{"id":219,"depth":322,"text":220,"children":334},[335],{"id":258,"depth":325,"text":259},{"id":316,"depth":322,"text":317},"blueprints","2026-02-02","2026-02-27","Security guide for Cursor + Prisma + Vercel stack. Secure your database connection, configure Prisma safely, protect against injection, and deploy securely.",false,"md",null,"purple",{},true,"Complete security configuration for Prisma apps built with Cursor on Vercel.","/blog/blueprints/cursor-prisma-vercel","10 min read","[object Object]","Article",{"title":5,"description":340},{"loc":348},"blog/blueprints/cursor-prisma-vercel",[],"summary_large_image","uN1Qe-5A5Nmxr0WJcqZt85zXvpimu7rXXebdb3EVrZA",1775843932556]