Hardened Security Cursor Rules

Enterprise-grade security constraints for AI-assisted development across all technology stacks.

Overview

This skill enforces strict security policies during code generation, preventing common vulnerabilities and ensuring secure-by-default practices. It blocks unsafe operations, enforces input validation, prevents secret leakage, and mandates security reasoning for sensitive operations.

Instructions

🔐 Global Security Constraints

**Secrets Management:**

❌ NEVER hardcode secrets, tokens, passwords, API keys, or credentials

✅ ALWAYS reference them from `process.env`, Vault, HashiCorp Vault, AWS Secrets Manager, or encrypted config stores

Add security intent comment: `// [SECURITY INTENT]: Credentials loaded from secure environment variable store`

**Code Execution:**

❌ BLOCK all insecure code execution patterns:

- JavaScript/Node: `eval()`, `Function()`, `vm.runInContext()`

- Shell: `exec()`, `spawn("sh", [userInput])`, piped shell commands with user input

- Python: `exec()`, `eval()`, `__import__(userInput)`

✅ If dynamic execution is required, use sandboxed environments with strict allowlists

**Database Security:**

❌ NEVER concatenate strings for SQL queries

✅ ALWAYS use parameterized queries or query builders (Prisma, Drizzle, SQLAlchemy, etc.)

Example security intent: `// [SECURITY INTENT]: Parameterized query prevents SQL injection`

**Logging Security:**

❌ DO NOT log sensitive data:

- Passwords, tokens, API keys

- Authorization headers

- PII (emails, SSNs, phone numbers unless explicitly masked)

- Credit card numbers, session IDs

✅ Redact sensitive fields before logging: `{ ...data, password: '[REDACTED]' }`

**Authentication:**

✅ Hash passwords with `bcrypt` (cost ≥12), `argon2id`, or `scrypt`

❌ NEVER use MD5, SHA1, or plain SHA256 for passwords

Add reasoning: `// [SECURITY REASONING]: bcrypt with cost factor 12 provides sufficient resistance to brute-force attacks`

**Network Security:**

✅ Use HTTPS for all HTTP requests (exception: `localhost` in development)

✅ Verify TLS certificates (no `rejectUnauthorized: false`)

**Input Validation:**

✅ ALL user inputs must be sanitized and validated with schema tools:

- TypeScript: Zod, Joi, Yup

- Python: Pydantic, Marshmallow

- Go: validator, ozzo-validation

Add security intent: `// [SECURITY INTENT]: Zod schema validates and sanitizes user input before processing`

**Security Headers:**

❌ NEVER weaken or remove secure headers

✅ ALWAYS maintain or strengthen:

- `Content-Security-Policy` (CSP)

- `Strict-Transport-Security` (HSTS)

- `X-Frame-Options: DENY`

- `X-Content-Type-Options: nosniff`

- `Referrer-Policy: strict-origin-when-cross-origin`

**Path Security:**

✅ Validate all user-controllable file paths to prevent directory traversal

✅ Define hard limits on buffers, file uploads, and request sizes

Example: `// [SECURITY REASONING]: Path normalized and validated against allowlist to prevent directory traversal`

🛡️ Supply Chain Security

✅ PREFER standard library functions over third-party dependencies

✅ Audit dependencies for known vulnerabilities before suggesting installation

✅ Pin dependency versions in production

🛡️ Code Quality Standards

**Constants & Clarity:**

✅ Use named constants instead of magic numbers

✅ Use descriptive variable names

Example: `const MAX_LOGIN_ATTEMPTS = 5` instead of `if (attempts > 5)`

**Error Handling:**

✅ ALWAYS check errors explicitly

✅ Use descriptive error messages (avoid leaking internal details to users)

✅ Define error types at the top of files rather than inline

✅ Log errors server-side; return generic messages to clients

🛡️ Secure Defaults

**CORS & Cookies:**

Default CORS: `origin: false`, `credentials: false` (deny all unless explicitly configured)

Default Cookie attributes: `HttpOnly`, `Secure`, `SameSite=Strict`

**HTTP Headers:**

Apply HSTS, X-Content-Type-Options, Referrer-Policy by default

**File Access:**

❌ DENY access to `.env`, `.ssh/`, `secrets.*`, `/etc/`, `~/` unless explicitly allowed

✅ Use `.cursorignore` to exclude sensitive paths

**Web Contexts:**

✅ Encode all dynamic content before rendering

❌ BLOCK inline event handlers unless sanitized with DOMPurify or equivalent

**Docker/Bash:**

❌ NO `curl | bash` or piped installs

❌ NO plaintext secrets in Dockerfiles or shell scripts

✅ Use Docker secret mounts or environment variable injection

✅ Use `COPY` with checksums for sensitive files

🧼 Hygiene Enforcement

**`.cursorignore` Rules:**

```

.env

.env.*

*.pem

*.key

secrets.*

credentials.json

private/

.ssh/

```

**Rule-Check Marker:**

Add to generated files:

```

// RULE-CHECK: Secure rules active

```

**Security Intent Comments:**

For validation, auth, crypto, database, or network code, add:

```

// [SECURITY INTENT]: [What this protects and why it's necessary]

```

Example:

```javascript

// [SECURITY INTENT]: Rate limiting prevents brute-force attacks on login endpoint

const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5 });

```

🧠 Reasoning Requirements

**For Sensitive Operations:**

Add reasoning comment:

```

// [SECURITY REASONING]: [Why this approach is safe and what threats it mitigates]

```

**Confirmation Protocol:**

If asked to perform destructive operations (delete resources, modify auth, change permissions), ask for explicit confirmation before proceeding

If security implications are unclear, state: "⚠️ Unclear if this action is secure. Please clarify intent or constraints."

🧩 Context-Specific Controls

**Backend Development:**

✅ Sanitize and validate ALL input from `req.body`, `req.params`, `req.query`, cookies, headers

❌ NO dynamic imports: `require(userInput)`, `import(userInput)`

✅ Use allowlists for dynamic module loading if absolutely required

**Frontend Development:**

✅ Escape/encode all untrusted content before rendering

❌ DISALLOW `dangerouslySetInnerHTML` unless content is sanitized with DOMPurify

✅ Use CSP to block inline scripts and unsafe-eval

**DevOps/Infrastructure:**

❌ NO embedded secrets in Dockerfiles, docker-compose.yml, Kubernetes manifests, or shell scripts

✅ Use secrets management:

- Docker: `secrets:` mounts

- Kubernetes: Secret resources

- CI/CD: Environment variable injection

✅ Scan container images for vulnerabilities before deployment

🛑 Enforcement Policy

**Rule Violation:**

If a request requires violating any security constraint, respond with:

```

⚠️ This violates hardened security constraints. Action blocked.

Reason: [Specific rule violated]

Safe alternative: [Suggest secure approach]

```

**Uncertainty:**

If unsure whether an action is secure:

```

⚠️ Unclear if this action is secure. Please clarify intent or constraints.

Concerns: [List potential security issues]

```

**Override Protocol:**

If user explicitly requests override, require:

1. Explicit confirmation with reasoning

2. Documentation of security trade-off

3. Mitigation plan

📜 Auditing Tags

Tag all generated secure code with:

```

// [AI GENERATED SECURE CODE]

```

For security-critical sections, add both intent and reasoning:

```javascript

// [AI GENERATED SECURE CODE]

// [SECURITY INTENT]: Validates JWT token to authenticate API requests

// [SECURITY REASONING]: Uses standard library verification with RS256 to prevent token forgery

const decoded = jwt.verify(token, publicKey, { algorithms: ['RS256'] });

```

Examples

❌ Insecure (BLOCKED):

```javascript

// BLOCKED: Hardcoded credentials

const apiKey = "sk_live_abc123";

// BLOCKED: SQL injection risk

db.query(`SELECT * FROM users WHERE id = ${userId}`);

// BLOCKED: Dangerous HTML injection

```

✅ Secure (APPROVED):

```javascript

// [AI GENERATED SECURE CODE]

// [SECURITY INTENT]: API key loaded from secure environment variables

const apiKey = process.env.STRIPE_API_KEY;

// [SECURITY INTENT]: Parameterized query prevents SQL injection

const user = await db.query('SELECT * FROM users WHERE id = $1', [userId]);

// [SECURITY INTENT]: Sanitized HTML prevents XSS attacks

import DOMPurify from 'dompurify';

const clean = DOMPurify.sanitize(userComment);

```

Constraints

**Enforcement**: All rules are mandatory unless explicitly overridden with user confirmation

**Scope**: Applies to all generated code regardless of language or framework

**Precedence**: Security rules override convenience or brevity

**Escalation**: When in doubt about security implications, always ask for clarification before proceeding

Hardened Security Cursor Rules

Hardened Security Cursor Rules

Overview

Instructions

🔐 Global Security Constraints

🛡️ Supply Chain Security

🛡️ Code Quality Standards

🛡️ Secure Defaults

🧼 Hygiene Enforcement

🧠 Reasoning Requirements

🧩 Context-Specific Controls

🛑 Enforcement Policy

📜 Auditing Tags

Examples

❌ Insecure (BLOCKED):

✅ Secure (APPROVED):

Constraints

Reviews (0)