.cursorrules

description: "Hardened Secure Cursor Rules for Personal Use" version: "1.0" alwaysApply: true tags: ["security", "strict", "backend", "frontend", "DevOps", "AI coding"]

🔐 Global Security Constraints

❌ Never hardcode secrets, tokens, passwords, API keys, or credentials.
✅ Always reference them from
```
process.env
```
, Vault, or encrypted config stores.

❌ Disallow insecure code execution:

eval

Function

exec

spawn("sh")

vm.runInContext()

❌ Do not concatenate strings for SQL.
✅ Use query builders or parameterized methods only.
❌ Do not log sensitive data: passwords, tokens, auth headers, PII.
✅ Hash passwords with
```
bcrypt
```
,
```
argon2
```
, or
```
scrypt
```
— never MD5 or SHA1.
✅ Use HTTPS for all HTTP requests (unless explicitly
```
localhost
```
for dev).
✅ All user inputs must be sanitized and validated with schema tools (e.g. Zod, Joi).
❌ Never weaken or remove secure headers (CSP, CORS, HSTS, X-Frame-Options).
Security:
- Never hardcode secrets
- use
```
os.Getenv()
```
  or config stores
- ensure any user-controllable paths are not subject to path traversal
- Define hard limits on any user-controllable data sources (e.,g. buffers, web requests)

🛡️ Supply Chain Security

Prefer using the standard library for common functionality instead of installing dependencies

🛡️ Code Quality

Constants Use constants and/or descriptive variable names instead of magic numbers
Error Handling: Always check errors, use descriptive error messages, and define errors at the top of relevant files rather than declaring them in-line

🛡️ Secure Defaults

Assume the following unless explicitly overridden:
- CORS:
```
deny
```
  , no credentials
- Cookies:
```
HttpOnly
```
  ,
```
Secure
```
  ,
```
SameSite=Strict
```
- HTTP headers: HSTS, X-Content-Type-Options, Referrer-Policy, etc.
- Deny file access to
```
.env
```
  ,
```
.ssh/
```
  ,
```
secrets.*
```
  ,
```
/etc
```
  ,
```
~/
```
  unless explicitly allowed.
In web contexts:
- Encode dynamic content
- Block inline event handlers unless sanitized
In Docker/bash:
- No
```
curl | bash
```
  , no plaintext secrets
- Use
```
COPY
```
  with checksums; use secret mounts/env for credentials
Use modern and recommended patterns in the programming language
Prefer standard library implementations over third-party packages

🧼 Hygiene Enforcement

.cursorignore

must exclude:

.env

*.pem

*.key

secrets.*

credentials.json

private/

.ssh/

Include a rule-check marker:
```
// RULE-CHECK: Secure rules active
```
Generated code must include:
```
// [SECURITY INTENT]: What this protects.
```
Especially for: validation, auth, crypto, DB, or network access.

🧠 Reasoning Requirements

For sensitive operations, Cursor must add:

// [SECURITY REASONING]: This approach is safe because...

If unsure about destructive or high-privilege actions, ask for confirmation before proceeding.

🧩 Context-Specific Controls

🔙 Backend

Sanitize and validate all input from
```
req.body
```
,
```
req.params
```
, cookies, headers.
No dynamic imports or
```
require(varName)
```
logic.

🌐 Frontend

Escape/encode untrusted content.
Disallow
```
dangerouslySetInnerHTML
```
unless sanitized with DOMPurify or equivalent.

⚙️ DevOps

No embedded secrets in Dockerfiles, bash scripts, or Compose files.
Prefer
```
secrets:
```
mounts or ENV injection.

🛑 Enforcement Policy

If a request requires violating any rule:

“⚠️ This violates hardened security constraints. Action blocked.”
If unsure:

“⚠️ Unclear if this action is secure. Please clarify intent or constraints.”

📜 Auditing Tags (optional, for tracing)

Tag all secure code output with:
```
// [AI GENERATED SECURE CODE]
```

🔐 Global Security Constraints

❌ Never hardcode secrets, tokens, passwords, API keys, or credentials.
✅ Always reference them from

process.env

, Vault, or encrypted config stores.

❌ Disallow insecure code execution:

eval

Function

exec

spawn("sh")

vm.runInContext()

❌ Do not concatenate strings for SQL.
✅ Use query builders or parameterized methods only.

❌ Do not log sensitive data: passwords, tokens, auth headers, PII.

✅ Hash passwords with

bcrypt

argon2

, or

scrypt

— never MD5 or SHA1.

✅ Use HTTPS for all HTTP requests (unless explicitly

localhost

for dev).

✅ All user inputs must be sanitized and validated with schema tools (e.g. Zod, Joi).

❌ Never weaken or remove secure headers (CSP, CORS, HSTS, X-Frame-Options).

Security:

Never hardcode secrets
use
```
os.Getenv()
```
or config stores
ensure any user-controllable paths are not subject to path traversal
Define hard limits on any user-controllable data sources (e.,g. buffers, web requests)

🛡️ Secure Defaults

Assume the following unless explicitly overridden:

CORS:
```
deny
```
, no credentials
Cookies:
```
HttpOnly
```
,
```
Secure
```
,
```
SameSite=Strict
```
HTTP headers: HSTS, X-Content-Type-Options, Referrer-Policy, etc.
Deny file access to
```
.env
```
,
```
.ssh/
```
,
```
secrets.*
```
,
```
/etc
```
,
```
~/
```
unless explicitly allowed.

In web contexts:

Encode dynamic content
Block inline event handlers unless sanitized

In Docker/bash:

No
```
curl | bash
```
, no plaintext secrets
Use
```
COPY
```
with checksums; use secret mounts/env for credentials

Use modern and recommended patterns in the programming language

Prefer standard library implementations over third-party packages

🧼 Hygiene Enforcement

.cursorignore

must exclude:

.env

*.pem

*.key

secrets.*

credentials.json

private/

.ssh/

Include a rule-check marker:

// RULE-CHECK: Secure rules active

Generated code must include:

// [SECURITY INTENT]: What this protects.
Especially for: validation, auth, crypto, DB, or network access.

🧩 Context-Specific Controls

Sanitize and validate all input from

req.body

req.params

, cookies, headers.

No dynamic imports or

require(varName)

logic.

Escape/encode untrusted content.

Disallow

dangerouslySetInnerHTML

unless sanitized with DOMPurify or equivalent.

No embedded secrets in Dockerfiles, bash scripts, or Compose files.

Prefer

secrets:

mounts or ENV injection.

.cursorrules

description: "Hardened Secure Cursor Rules for Personal Use" version: "1.0" alwaysApply: true tags: ["security", "strict", "backend", "frontend", "DevOps", "AI coding"]

🔐 Global Security Constraints

🛡️ Supply Chain Security

🛡️ Code Quality

🛡️ Secure Defaults

🧼 Hygiene Enforcement

🧠 Reasoning Requirements

🧩 Context-Specific Controls

🔙 Backend

🌐 Frontend

⚙️ DevOps

🛑 Enforcement Policy

📜 Auditing Tags (optional, for tracing)

Related Skills

.cursorrules

This is an Elixir library that recompiles Elixir code in its AST form.

This is AI chat app called DeeperSeeker.

description: "Hardened Secure Cursor Rules for Personal Use" version: "1.0" alwaysApply: true tags: ["security", "strict", "backend", "frontend", "DevOps", "AI coding"]

🔐 Global Security Constraints

🛡️ Supply Chain Security

🛡️ Code Quality

🛡️ Secure Defaults

🧼 Hygiene Enforcement

🧠 Reasoning Requirements

🧩 Context-Specific Controls

🔙 Backend

🌐 Frontend

⚙️ DevOps

🛑 Enforcement Policy

📜 Auditing Tags (optional, for tracing)