[{"data":1,"prerenderedAt":213},["ShallowReactive",2],{"blog-checklists/cursor-security-checklist":3},{"id":4,"title":5,"body":6,"category":189,"date":190,"dateModified":191,"description":192,"draft":193,"extension":194,"faq":195,"featured":193,"headerVariant":198,"image":199,"keywords":199,"meta":200,"navigation":201,"ogDescription":202,"ogTitle":199,"path":203,"readTime":199,"schemaOrg":204,"schemaType":205,"seo":206,"sitemap":207,"stem":208,"tags":209,"twitterCard":211,"__hash__":212},"blog/blog/checklists/cursor-security-checklist.md","Cursor Security Checklist: 15-Item Guide Before Deploying",{"type":7,"value":8,"toc":183},"minimark",[9,16,19,22,47,68,88,104,119,124,127,130,152,171],[10,11,12],"tldr",{},[13,14,15],"p",{},"This 15-item checklist covers the most common security issues in Cursor-generated projects. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can. Print this page to use as a physical checklist during code review.",[13,17,18],{},"Cursor is fantastic for cranking out features, but it tends to take shortcuts on security the same way any AI tool does. The code compiles, the app runs, everything looks fine -- until someone pokes at it. Before you push to production, walk through these 15 items.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Look for sk_, pk_, api_key, secret, token in your code","Search for hardcoded API keys",[27,32],{"description":33,"label":34},"Check before pushing to GitHub","Verify .env is in .gitignore",[27,36],{"description":37,"label":38},"Try accessing /dashboard, /admin directly in incognito","Test protected routes without login",[27,40],{"description":41,"label":42},"Tables without RLS are publicly accessible","Enable RLS on database tables (if using Supabase)",[27,44],{"description":45,"label":46},"Only NEXT_PUBLIC_, VITE_, REACT_APP_ vars in frontend","Verify client-safe key prefixes",[23,48,51,54,57,61,65],{"title":49,"count":50},"API Keys and Secrets","5",[27,52],{"description":53,"label":30},"Search your codebase for: sk_, pk_, api_key, apiKey, secret, password, token. How to secure API keys",[27,55],{"description":56,"label":34},"Check that .env, .env.local, and similar files are listed in .gitignore. How to secure .env files",[27,58],{"description":59,"label":60},"All API keys should be in env vars, not hardcoded in source files. How to configure env variables","Move secrets to environment variables",[27,62],{"description":63,"label":64},"Open DevTools, refresh the page, and verify no secrets appear in requests. How to inspect network requests","Check browser Network tab",[27,66],{"description":67,"label":46},"Only NEXT_PUBLIC_, VITE_, or REACT_APP_ vars should be used client-side. How to separate client/server keys",[23,69,72,76,80,84],{"title":70,"count":71},"Authentication","4",[27,73],{"description":74,"label":75},"Try accessing /dashboard, /admin, /settings directly without logging in. How to test protected routes","Test protected routes",[27,77],{"description":78,"label":79},"Authentication should be checked on the server/database, not just frontend. How to implement server-side auth","Verify server-side auth",[27,81],{"description":82,"label":83},"Sessions should expire and logout should clear all tokens. How to configure sessions","Check session handling",[27,85],{"description":86,"label":87},"Verify reset links expire and can only be used once. How to secure password reset","Test password reset flow",[23,89,92,96,100],{"title":90,"count":91},"Database Security","3",[27,93],{"description":94,"label":95},"RLS must be enabled on ALL tables, not just some. How to set up Supabase RLS","Enable Row Level Security (if using Supabase)",[27,97],{"description":98,"label":99},"Can User A access User B's data by changing IDs in requests? How to test data isolation","Test data isolation",[27,101],{"description":102,"label":103},"All queries should use parameterized statements, not string concatenation. How to prevent SQL injection","Review database queries",[23,105,107,111,115],{"title":106,"count":91},"Input and Output",[27,108],{"description":109,"label":110},"Enter \u003Cscript>alert('xss')\u003C/script> in form fields and check it's escaped. How to prevent XSS","Test form inputs with special characters",[27,112],{"description":113,"label":114},"Never trust client-side validation alone. Validate on the backend. How to validate on server","Validate input on the server",[27,116],{"description":117,"label":118},"Validate file types, limit sizes, and store outside web root. How to secure file uploads","Check file uploads (if applicable)",[120,121,123],"h2",{"id":122},"how-to-use-this-checklist","How to Use This Checklist",[13,125,126],{},"Go through each item before deploying your Cursor project. If you find an issue, fix it before moving on. Some items may not apply to your specific project (for example, file uploads if you don't have that feature).",[13,128,129],{},"For the most thorough security review, combine this checklist with an automated security scan. Automated tools can catch issues that are easy to miss in manual review.",[131,132,133,140,146],"faq-section",{},[134,135,137],"faq-item",{"question":136},"What should I check before deploying a Cursor project?",[13,138,139],{},"Before deploying a Cursor project, check for hardcoded API keys, verify .gitignore includes .env files, ensure authentication is implemented on both frontend and backend, test database access controls, validate user inputs, and run an automated security scan.",[134,141,143],{"question":142},"How do I find exposed API keys in my Cursor project?",[13,144,145],{},"Search your codebase for common patterns: sk_, pk_, api_key, apiKey, secret, password, and token. Also check browser DevTools Network tab to see what credentials are being sent with requests. Any key visible in the browser is exposed.",[134,147,149],{"question":148},"Do I need all items on this checklist?",[13,150,151],{},"Most items apply to any web application. Some may not apply to your specific project. For example, if you don't have user authentication, skip the auth section. But if your app handles any user data, all sections are relevant.",[153,154,155,161,166],"related-articles",{},[156,157],"related-card",{"description":158,"href":159,"title":160},"Complete security guide for Cursor projects","/blog/guides/cursor","Cursor Security Guide",[156,162],{"description":163,"href":164,"title":165},"Step-by-step guide to hiding your keys","/blog/how-to/secure-api-keys","How to Secure API Keys",[156,167],{"description":168,"href":169,"title":170},"RLS and database security checklist","/blog/checklists/supabase-security-checklist","Supabase Security Checklist",[172,173,176,180],"cta-box",{"href":174,"label":175},"/","Start Free Scan",[120,177,179],{"id":178},"automate-this-checklist","Automate This Checklist",[13,181,182],{},"Our scanner checks all these items automatically and catches issues you might miss.",{"title":184,"searchDepth":185,"depth":185,"links":186},"",2,[187,188],{"id":122,"depth":185,"text":123},{"id":178,"depth":185,"text":179},"checklists","2026-01-23","2026-02-09","Printable 15-item security checklist for Cursor projects. Critical items to check before deploying your AI-generated app to production.",false,"md",[196,197],{"question":136,"answer":139},{"question":142,"answer":145},"green",null,{},true,"Printable security checklist for Cursor projects. 15 items to check before deploying.","/blog/checklists/cursor-security-checklist","[object Object]","HowTo",{"title":5,"description":192},{"loc":203},"blog/checklists/cursor-security-checklist",[210],"Security Checklist","summary_large_image","2v3gkmJlXyZHMDcGCwN2luCE5GgosInolxvOKmGpOKc",1775843931733]