Cursor Security Checklist: 15-Item Guide Before Deploying

TL;DR

This 15-item checklist covers the most common security issues in Cursor-generated projects. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can. Print this page to use as a physical checklist during code review.

Quick Checklist (5 Critical Items)

Search for hardcoded API keysLook for sk_, pk_, api_key, secret, token in your code

Verify .env is in .gitignoreCheck before pushing to GitHub

Test protected routes without loginTry accessing /dashboard, /admin directly in incognito

Enable RLS on database tables (if using Supabase)Tables without RLS are publicly accessible

Verify client-safe key prefixesOnly NEXT_PUBLIC_, VITE_, REACT_APP_ vars in frontend

API Keys and Secrets 5

Search for hardcoded API keysSearch your codebase for: sk_, pk_, api_key, apiKey, secret, password, token. How to secure API keys

Verify .env is in .gitignoreCheck that .env, .env.local, and similar files are listed in .gitignore. How to secure .env files

Move secrets to environment variablesAll API keys should be in env vars, not hardcoded in source files. How to configure env variables

Check browser Network tabOpen DevTools, refresh the page, and verify no secrets appear in requests. How to inspect network requests

Verify client-safe key prefixesOnly NEXT_PUBLIC_, VITE_, or REACT_APP_ vars should be used client-side. How to separate client/server keys

Authentication 4

Test protected routesTry accessing /dashboard, /admin, /settings directly without logging in. How to test protected routes

Verify server-side authAuthentication should be checked on the server/database, not just frontend. How to implement server-side auth

Check session handlingSessions should expire and logout should clear all tokens. How to configure sessions

Test password reset flowVerify reset links expire and can only be used once. How to secure password reset

Database Security 3

Enable Row Level Security (if using Supabase)RLS must be enabled on ALL tables, not just some. How to set up Supabase RLS

Test data isolationCan User A access User B's data by changing IDs in requests? How to test data isolation

Review database queriesAll queries should use parameterized statements, not string concatenation. How to prevent SQL injection

Input and Output 3

Test form inputs with special charactersEnter <script>alert('xss')</script> in form fields and check it's escaped. How to prevent XSS

Validate input on the serverNever trust client-side validation alone. Validate on the backend. How to validate on server

Check file uploads (if applicable)Validate file types, limit sizes, and store outside web root. How to secure file uploads

How to Use This Checklist

Go through each item before deploying your Cursor project. If you find an issue, fix it before moving on. Some items may not apply to your specific project (for example, file uploads if you don't have that feature).

For the most thorough security review, combine this checklist with an automated security scan. Automated tools can catch issues that are easy to miss in manual review.

What should I check before deploying a Cursor project?

Before deploying a Cursor project, check for hardcoded API keys, verify .gitignore includes .env files, ensure authentication is implemented on both frontend and backend, test database access controls, validate user inputs, and run an automated security scan.

How do I find exposed API keys in my Cursor project?

Search your codebase for common patterns: sk_, pk_, api_key, apiKey, secret, password, and token. Also check browser DevTools Network tab to see what credentials are being sent with requests. Any key visible in the browser is exposed.

Do I need all items on this checklist?

Most items apply to any web application. Some may not apply to your specific project. For example, if you don't have user authentication, skip the auth section. But if your app handles any user data, all sections are relevant.

TL;DR

Quick Checklist (5 Critical Items)

API Keys and Secrets 5

Authentication 4

Database Security 3

Input and Output 3

How to Use This Checklist

What should I check before deploying a Cursor project?

How do I find exposed API keys in my Cursor project?

Do I need all items on this checklist?

Related Articles

Cursor Security Guide

How to Secure API Keys

Supabase Security Checklist

Automate This Checklist

Cursor Security Checklist: 15-Item Guide Before Deploying