Introduction

AI tools like Cursor are powerful, but with power comes the need to be extra cautious. If you’re using Cursor in your workflow, make sure you follow these key security and best practices. A few smart checks now can save you from big headaches later. Before you import any codebase into Cursor, please take a moment to review this checklist:

Scan for Secrets

• • Use tools like Secretlint, Gitleaks, or others to scan your code for secrets like API keys, passwords, or tokens.
  • Never hard-code secrets. Use services like AWS Secret Manager or Azure Key Vault or any other alternative services to store them safely.

💡 Pro Tip: Set up Secretlint or similar secret scanners as a Git pre-commit hook so it automatically scans your code for secrets before each commit. This way, if you accidentally leave an API key or password in your files, the commit will be blocked until you remove it, saving you from leaking sensitive data.

Turn On Privacy Mode

Cursor remembers things. Great for productivity. Not so great if it starts giving your private business logic to another dev halfway across the world. If privacy settings aren’t configured properly, there’s a risk that Cursor might inadvertently share sensitive information – like proprietary business logic, internal APIs, or confidential workflows – in code suggestions made to someone else.

How to stay safe: Go to Cursor Settings → Privacy Mode → Enable it

This ensures your session data stays private and is not used to train or influence suggestions for others.

Use the Ignore List

Indexing is most useful for source files that define the main logic of your application. But you might have files that are either sensitive, temporary, or simply irrelevant to code suggestions and indexing these can be unnecessary or even risky.

To manage this: Go to: Cursor Settings → Indexing → Configure Ignored Files.

You can also create a .cursorignore file in the root directory of your codebase and specify the files and directories you want to exclude.

Exclude Files and Folders from Indexing:

• • • Protect sensitive information – such as .env files, API keys, credentials, or configuration files.
    • Avoid clutter from non-code files – like large data sets, build artifacts, or documentation.
    • Keep experimental code private – so unfinished features or in-progress scripts don’t influence AI suggestions.

Choose the Right Model

Not all AI models are created equal. Each model has its own strengths, limitations, and ideal use cases. As of now, Claude 3.7 Sonnet and Gemini 2.5 Pro (Exp 03-25) are considered top-tier performers for coding purpose. But even the best models vary depending on the task at hand.

💡 Pro Tips:
Experiment with multiple models. Don’t lock yourself into a single default. Test your prompts on different models to compare quality and style.
Keep an eye on new releases and benchmark reports. Models are constantly evolving, and new versions often bring significant improvements.

Use Cursor Rules

Want Cursor to write code like your team’s best developer? Set up Cursor Rules to guide AI suggestions with your own standards. Cursor’s AI is powerful, but to make it truly effective for your codebase and team, it needs context. Cursor Rules let you define that context in a way that mimics your team’s best practices.

How to Set Up Cursor Rules

• • • Inside your project, create Markdown files under .cursor/rules/
    • These .md files act as reference documents that the Cursor reads when generating code, helping it align with your specific style and structure.
    • Check in the rules to Git or any version control system you’re using so they’re accessible to everyone on the team.

Check out these resources and examples to build your own:

Cursor Directory – Official Docs
Awesome Cursor Rules – GitHub

Add @Docs – Because Model Has a Memory Cutoff

Cursor Model doesn’t magically know everything, especially about the latest frameworks or tools. If you’re using something new like Spring Boot 3.0 or React 19, Model might not understand it properly because its knowledge stops at a certain point in time.

Here’s what you can do:

• • Go to Settings → Features → Docs → Add new doc
  • Paste in the official documentation, changelogs, or pages related to the version you’re using. This helps Cursor learn exactly what you’re working with.
  • Use the doc in the prompt using @doc context feature.

💡 Still not getting the right results? Try using below tools. These services give Cursor access to better and more up-to-date GitHub documentation.

• • • context7.com
    • gitmcp.io

Remind Cursor to Follow the Rules

Sometimes Cursor doesn’t follow the rules you set and gets too creative. When that happens :

• • • Add the rule in the context using @rule manually.
    • Clearly prompt it: “Please follow cursor rules strictly”

Trust, but Verify – Always Review Cursor’s Code

Cursor can generate code really fast. But it can sometimes skip over important details like security best practices. Speed is great, but unchecked speed can lead to vulnerabilities. It’s possible for Cursor to produce code that looks fine at a glance but hides serious issues under the surface, such as insecure logic, unvalidated inputs, or outdated dependencies.

To protect your codebase, always run the generated code through static analysis tools before pushing:

🧪 Recommended tools:

• • • SonarQube – for overall code quality, bugs, and vulnerabilities
    • PMD – for detecting common programming flaws
    • SpotBugs – for identifying potential bugs in Java code
    • Checkstyle – for enforcing coding standards and style
    • OWASP Dependency Check – for spotting known security vulnerabilities in dependencies

Never assume code is safe just because it looks good. Code should be reviewed and validated before it’s merged – especially when it’s written by an AI. That’s how preventable security bugs sneak in and cause real damage.

Don’t Trust Vibe Code – Stay in Control

Refrain from enabling auto-run mode (aka YOLO mode). It might feel fast, but it’s risky. Always keep a human in the loop and know exactly what’s being executed. Use Cursor for augmented coding, not vibe coding.

Treat it like a pair programmer:

• • • You break down the architecture and logic
    • Cursor handles repetitive patterns and boilerplate
    • If it starts generating bad code, you take the wheel
    • Let Cursor help, but don’t let it lead. You’re the one who understands the business logic, security, and performance trade-offs.

Final Thoughts:

AI can boost your productivity, but it shouldn’t replace your thinking. Use tools like Cursor to speed up the boring stuff, stay aligned with your team’s standards, and avoid costly mistakes. These tools are like a genie – they do what you ask, but not always how you expect. Sometimes they add things you didn’t ask for or skip important design rules. That’s why it’s important to know when to take control, what not to rely on Cursor for, and understand both its strengths and its limits. Follow these tips, stay in control, and let Cursor be your coding sidekick, not your autopilot.

At TO THE NEW, our Generative AI Services help engineering teams build GenAI-augmented development workflows that deliver faster, smarter outcomes, without compromising on quality, security, and most importantly – the human touch.