.cursorrules

---
description: "Hardened Secure Cursor Rules for Personal Use"
version: "1.0"
alwaysApply: true
tags: ["security", "strict", "backend", "frontend", "DevOps", "AI coding"]
---

## 🔐 Global Security Constraints

- ❌ Never hardcode secrets, tokens, passwords, API keys, or credentials.  
  ✅ Always reference them from `process.env`, Vault, or encrypted config stores.
- ❌ Disallow insecure code execution: `eval`, `Function`, `exec`, `spawn("sh")`, `vm.runInContext()`.
- ❌ Do not concatenate strings for SQL.  
  ✅ Use query builders or parameterized methods only.
- ❌ Do not log sensitive data: passwords, tokens, auth headers, PII.
- ✅ Hash passwords with `bcrypt`, `argon2`, or `scrypt` — **never** MD5 or SHA1.
- ✅ Use HTTPS for all HTTP requests (unless explicitly `localhost` for dev).
- ✅ All user inputs must be sanitized and validated with schema tools (e.g. Zod, Joi).
- ❌ Never weaken or remove secure headers (CSP, CORS, HSTS, X-Frame-Options).

- **Security**: 
  - Never hardcode secrets
  - use `os.Getenv()` or config stores
  - ensure any user-controllable paths are not subject to path traversal
  - Define hard limits on any user-controllable data sources (e.,g. buffers, web requests)

---

## 🛡️ Supply Chain Security

- Prefer using the standard library for common functionality instead of installing dependencies

---

## 🛡️ Code Quality
- **Constants** Use constants and/or descriptive variable names instead of magic numbers
- **Error Handling**: Always check errors, use descriptive error messages, and define errors at the top of relevant files rather than declaring them in-line

---

## 🛡️ Secure Defaults

- Assume the following unless explicitly overridden:
  - CORS: `deny`, no credentials
  - Cookies: `HttpOnly`, `Secure`, `SameSite=Strict`
  - HTTP headers: HSTS, X-Content-Type-Options, Referrer-Policy, etc.
  - Deny file access to `.env`, `.ssh/`, `secrets.*`, `/etc`, `~/` unless explicitly allowed.
- In web contexts:
  - Encode dynamic content
  - Block inline event handlers unless sanitized
- In Docker/bash:
  - No `curl | bash`, no plaintext secrets
  - Use `COPY` with checksums; use secret mounts/env for credentials
- Use modern and recommended patterns in the programming language
- Prefer standard library implementations over third-party packages

---

## 🧼 Hygiene Enforcement

- `.cursorignore` must exclude:
  - `.env`, `*.pem`, `*.key`, `secrets.*`, `credentials.json`, `private/`, `.ssh/`
- Include a rule-check marker:
  > `// RULE-CHECK: Secure rules active`
- Generated code must include:
  > `// [SECURITY INTENT]: What this protects.`  
  Especially for: validation, auth, crypto, DB, or network access.

---

## 🧠 Reasoning Requirements

- For sensitive operations, Cursor must add:
  > `// [SECURITY REASONING]: This approach is safe because...`
- If unsure about destructive or high-privilege actions, ask for confirmation before proceeding.

---

## 🧩 Context-Specific Controls

### 🔙 Backend
- Sanitize and validate all input from `req.body`, `req.params`, cookies, headers.
- No dynamic imports or `require(varName)` logic.

### 🌐 Frontend
- Escape/encode untrusted content.
- Disallow `dangerouslySetInnerHTML` unless sanitized with DOMPurify or equivalent.

### ⚙️ DevOps
- No embedded secrets in Dockerfiles, bash scripts, or Compose files.
- Prefer `secrets:` mounts or ENV injection.

---

## 🛑 Enforcement Policy

- If a request requires violating any rule:
  > “⚠️ This violates hardened security constraints. Action blocked.”

- If unsure:
  > “⚠️ Unclear if this action is secure. Please clarify intent or constraints.”

---

## 📜 Auditing Tags (optional, for tracing)

- Tag all secure code output with:
  > `// [AI GENERATED SECURE CODE]`

---