.cursorrules

🔐 Global Security Constraints

❌ Never hardcode secrets, tokens, passwords, API keys, or credentials.
✅ Always reference them from process.env, Vault, or encrypted config stores.
❌ Disallow insecure code execution: eval, Function, exec, spawn("sh"), vm.runInContext().
❌ Do not concatenate strings for SQL.
✅ Use query builders or parameterized methods only.
❌ Do not log sensitive data: passwords, tokens, auth headers, PII.
✅ Hash passwords with bcrypt, argon2, or scrypt — never MD5 or SHA1.
✅ Use HTTPS for all HTTP requests (unless explicitly localhost for dev).
✅ All user inputs must be sanitized and validated with schema tools (e.g. Zod, Joi).
❌ Never weaken or remove secure headers (CSP, CORS, HSTS, X-Frame-Options).
Security:
- Never hardcode secrets
- use os.Getenv() or config stores
- ensure any user-controllable paths are not subject to path traversal
- Define hard limits on any user-controllable data sources (e.,g. buffers, web requests)

🛡️ Supply Chain Security

Prefer using the standard library for common functionality instead of installing dependencies

🛡️ Code Quality

Constants Use constants and/or descriptive variable names instead of magic numbers
Error Handling: Always check errors, use descriptive error messages, and define errors at the top of relevant files rather than declaring them in-line

🛡️ Secure Defaults

Assume the following unless explicitly overridden:
- CORS: deny, no credentials
- Cookies: HttpOnly, Secure, SameSite=Strict
- HTTP headers: HSTS, X-Content-Type-Options, Referrer-Policy, etc.
- Deny file access to .env, .ssh/, secrets.*, /etc, ~/ unless explicitly allowed.
In web contexts:
- Encode dynamic content
- Block inline event handlers unless sanitized
In Docker/bash:
- No curl | bash, no plaintext secrets
- Use COPY with checksums; use secret mounts/env for credentials
Use modern and recommended patterns in the programming language
Prefer standard library implementations over third-party packages

🧼 Hygiene Enforcement

.cursorignore must exclude:
- .env, *.pem, *.key, secrets.*, credentials.json, private/, .ssh/
Include a rule-check marker:

// RULE-CHECK: Secure rules active
Generated code must include:

// [SECURITY INTENT]: What this protects.
Especially for: validation, auth, crypto, DB, or network access.

🧠 Reasoning Requirements

For sensitive operations, Cursor must add:

// [SECURITY REASONING]: This approach is safe because...
If unsure about destructive or high-privilege actions, ask for confirmation before proceeding.

🧩 Context-Specific Controls

🔙 Backend

Sanitize and validate all input from req.body, req.params, cookies, headers.
No dynamic imports or require(varName) logic.

🌐 Frontend

Escape/encode untrusted content.
Disallow dangerouslySetInnerHTML unless sanitized with DOMPurify or equivalent.

⚙️ DevOps

No embedded secrets in Dockerfiles, bash scripts, or Compose files.
Prefer secrets: mounts or ENV injection.

🛑 Enforcement Policy

If a request requires violating any rule:

“⚠️ This violates hardened security constraints. Action blocked.”
If unsure:

“⚠️ Unclear if this action is secure. Please clarify intent or constraints.”

📜 Auditing Tags (optional, for tracing)

Tag all secure code output with:

// [AI GENERATED SECURE CODE]

🔐 Global Security Constraints

❌ Never hardcode secrets, tokens, passwords, API keys, or credentials.
✅ Always reference them from process.env, Vault, or encrypted config stores.

❌ Disallow insecure code execution: eval, Function, exec, spawn("sh"), vm.runInContext().

❌ Do not concatenate strings for SQL.
✅ Use query builders or parameterized methods only.

❌ Do not log sensitive data: passwords, tokens, auth headers, PII.

✅ Hash passwords with bcrypt, argon2, or scrypt — never MD5 or SHA1.

✅ Use HTTPS for all HTTP requests (unless explicitly localhost for dev).

✅ All user inputs must be sanitized and validated with schema tools (e.g. Zod, Joi).

❌ Never weaken or remove secure headers (CSP, CORS, HSTS, X-Frame-Options).

Security:

Never hardcode secrets
use os.Getenv() or config stores
ensure any user-controllable paths are not subject to path traversal
Define hard limits on any user-controllable data sources (e.,g. buffers, web requests)

🛡️ Secure Defaults

Assume the following unless explicitly overridden:

CORS: deny, no credentials
Cookies: HttpOnly, Secure, SameSite=Strict
HTTP headers: HSTS, X-Content-Type-Options, Referrer-Policy, etc.
Deny file access to .env, .ssh/, secrets.*, /etc, ~/ unless explicitly allowed.

In web contexts:

Encode dynamic content
Block inline event handlers unless sanitized

In Docker/bash:

No curl | bash, no plaintext secrets
Use COPY with checksums; use secret mounts/env for credentials

Use modern and recommended patterns in the programming language

Prefer standard library implementations over third-party packages

🧼 Hygiene Enforcement

.cursorignore must exclude:

.env, *.pem, *.key, secrets.*, credentials.json, private/, .ssh/

Include a rule-check marker:

// RULE-CHECK: Secure rules active

Generated code must include:

// [SECURITY INTENT]: What this protects.
Especially for: validation, auth, crypto, DB, or network access.

🧩 Context-Specific Controls

🔙 Backend

Sanitize and validate all input from req.body, req.params, cookies, headers.

No dynamic imports or require(varName) logic.

🌐 Frontend

Escape/encode untrusted content.

Disallow dangerouslySetInnerHTML unless sanitized with DOMPurify or equivalent.

⚙️ DevOps

No embedded secrets in Dockerfiles, bash scripts, or Compose files.

Prefer secrets: mounts or ENV injection.

.cursorrules

🔐 Global Security Constraints

🛡️ Supply Chain Security

🛡️ Code Quality

🛡️ Secure Defaults

🧼 Hygiene Enforcement

🧠 Reasoning Requirements

🧩 Context-Specific Controls

🔙 Backend

🌐 Frontend

⚙️ DevOps

🛑 Enforcement Policy

📜 Auditing Tags (optional, for tracing)

Related Skills

Repo rules

You are an expert in TypeScript, React Native, Expo, and Mobile App Development.

You are an expert in TypeScript, Node.js, Next.js App Router, React, Shadcn UI, Radix UI and Tailwind.

🔐 Global Security Constraints

🛡️ Supply Chain Security

🛡️ Code Quality

🛡️ Secure Defaults

🧼 Hygiene Enforcement

🧠 Reasoning Requirements

🧩 Context-Specific Controls

🔙 Backend

🌐 Frontend

⚙️ DevOps

🛑 Enforcement Policy

📜 Auditing Tags (optional, for tracing)