.cursorrules

🔐 Global Security Constraints

❌ Never hardcode secrets, tokens, passwords, API keys, or credentials.
✅ Always reference them from process.env, Vault, or encrypted config stores.
❌ Disallow insecure code execution: eval, Function, exec, spawn("sh"), vm.runInContext().
❌ Do not concatenate strings for SQL.
✅ Use query builders or parameterized methods only.
❌ Do not log sensitive data: passwords, tokens, auth headers, PII.
✅ Hash passwords with bcrypt, argon2, or scrypt — never MD5 or SHA1.
✅ Use HTTPS for all HTTP requests (unless explicitly localhost for dev).
✅ All user inputs must be sanitized and validated with schema tools (e.g. Zod, Joi).
❌ Never weaken or remove secure headers (CSP, CORS, HSTS, X-Frame-Options).
Security:
- Never hardcode secrets
- use os.Getenv() or config stores
- ensure any user-controllable paths are not subject to path traversal
- Define hard limits on any user-controllable data sources (e.,g. buffers, web requests)

🛡️ Supply Chain Security

Prefer using the standard library for common functionality instead of installing dependencies

🛡️ Code Quality

Constants Use constants and/or descriptive variable names instead of magic numbers
Error Handling: Always check errors, use descriptive error messages, and define errors at the top of relevant files rather than declaring them in-line

🛡️ Secure Defaults

Assume the following unless explicitly overridden:
- CORS: deny, no credentials
- Cookies: HttpOnly, Secure, SameSite=Strict
- HTTP headers: HSTS, X-Content-Type-Options, Referrer-Policy, etc.
- Deny file access to .env, .ssh/, secrets.*, /etc, ~/ unless explicitly allowed.
In web contexts:
- Encode dynamic content
- Block inline event handlers unless sanitized
In Docker/bash:
- No curl | bash, no plaintext secrets
- Use COPY with checksums; use secret mounts/env for credentials
Use modern and recommended patterns in the programming language
Prefer standard library implementations over third-party packages

🧼 Hygiene Enforcement

.cursorignore must exclude:
- .env, *.pem, *.key, secrets.*, credentials.json, private/, .ssh/
Include a rule-check marker:

// RULE-CHECK: Secure rules active
Generated code must include:

// [SECURITY INTENT]: What this protects.
Especially for: validation, auth, crypto, DB, or network access.

🧠 Reasoning Requirements

For sensitive operations, Cursor must add:

// [SECURITY REASONING]: This approach is safe because...
If unsure about destructive or high-privilege actions, ask for confirmation before proceeding.

🧩 Context-Specific Controls

🔙 Backend

Sanitize and validate all input from req.body, req.params, cookies, headers.
No dynamic imports or require(varName) logic.

🌐 Frontend

Escape/encode untrusted content.
Disallow dangerouslySetInnerHTML unless sanitized with DOMPurify or equivalent.

⚙️ DevOps

No embedded secrets in Dockerfiles, bash scripts, or Compose files.
Prefer secrets: mounts or ENV injection.

🛑 Enforcement Policy

If a request requires violating any rule:

“⚠️ This violates hardened security constraints. Action blocked.”
If unsure:

“⚠️ Unclear if this action is secure. Please clarify intent or constraints.”

📜 Auditing Tags (optional, for tracing)

Tag all secure code output with:

// [AI GENERATED SECURE CODE]

🔐 Global Security Constraints

❌ Never hardcode secrets, tokens, passwords, API keys, or credentials.
✅ Always reference them from process.env, Vault, or encrypted config stores.

❌ Disallow insecure code execution: eval, Function, exec, spawn("sh"), vm.runInContext().

❌ Do not concatenate strings for SQL.
✅ Use query builders or parameterized methods only.

❌ Do not log sensitive data: passwords, tokens, auth headers, PII.

✅ Hash passwords with bcrypt, argon2, or scrypt — never MD5 or SHA1.

✅ Use HTTPS for all HTTP requests (unless explicitly localhost for dev).

✅ All user inputs must be sanitized and validated with schema tools (e.g. Zod, Joi).

❌ Never weaken or remove secure headers (CSP, CORS, HSTS, X-Frame-Options).

Security:

Never hardcode secrets
use os.Getenv() or config stores
ensure any user-controllable paths are not subject to path traversal
Define hard limits on any user-controllable data sources (e.,g. buffers, web requests)

🛡️ Secure Defaults

Assume the following unless explicitly overridden:

CORS: deny, no credentials
Cookies: HttpOnly, Secure, SameSite=Strict
HTTP headers: HSTS, X-Content-Type-Options, Referrer-Policy, etc.
Deny file access to .env, .ssh/, secrets.*, /etc, ~/ unless explicitly allowed.

In web contexts:

Encode dynamic content
Block inline event handlers unless sanitized

In Docker/bash:

No curl | bash, no plaintext secrets
Use COPY with checksums; use secret mounts/env for credentials

Use modern and recommended patterns in the programming language

Prefer standard library implementations over third-party packages

🧼 Hygiene Enforcement

.cursorignore must exclude:

.env, *.pem, *.key, secrets.*, credentials.json, private/, .ssh/

Include a rule-check marker:

// RULE-CHECK: Secure rules active

Generated code must include:

// [SECURITY INTENT]: What this protects.
Especially for: validation, auth, crypto, DB, or network access.

🧩 Context-Specific Controls

🔙 Backend

Sanitize and validate all input from req.body, req.params, cookies, headers.

No dynamic imports or require(varName) logic.

🌐 Frontend

Escape/encode untrusted content.

Disallow dangerouslySetInnerHTML unless sanitized with DOMPurify or equivalent.

⚙️ DevOps

No embedded secrets in Dockerfiles, bash scripts, or Compose files.

Prefer secrets: mounts or ENV injection.

.cursorrules

🔐 Global Security Constraints

🛡️ Supply Chain Security

🛡️ Code Quality

🛡️ Secure Defaults

🧼 Hygiene Enforcement

🧠 Reasoning Requirements

🧩 Context-Specific Controls

🔙 Backend

🌐 Frontend

⚙️ DevOps

🛑 Enforcement Policy

📜 Auditing Tags (optional, for tracing)

Related Skills

Repo rules

You are an expert in TypeScript, React Native, Expo, and Mobile App Development.

Geometry Tutor - Project Structure and Setup Guide

🔐 Global Security Constraints

🛡️ Supply Chain Security

🛡️ Code Quality

🛡️ Secure Defaults

🧼 Hygiene Enforcement

🧠 Reasoning Requirements

🧩 Context-Specific Controls

🔙 Backend

🌐 Frontend

⚙️ DevOps

🛑 Enforcement Policy

📜 Auditing Tags (optional, for tracing)