LLongsheng Huang
All notes
CursorCursorSecurityAI Coding

Cursor Security Setup for AI Coding

How I configure Cursor's ignore rules to reduce accidental exposure of sensitive files — and why separating .cursorignore from .cursorindexingignore matters.

Published
2026 · 05 · 13
Updated
2026 · 05 · 13
Category
Cursor
Read
6 min

Cursor reads your project in two distinct contexts: the chat context (what the AI can read when you ask it questions) and the indexing context (what gets embedded for semantic search). Most developers treat these as one thing. They're not, and treating them as one is the single most common source of accidental secret exposure I see in AI-assisted projects.

Two files, two purposes

Cursor supports two separate ignore files. They look identical, but they govern different surfaces:

  • .cursorignore — files the AI cannot read in chat, even if you @-mention them
  • .cursorindexingignore — files excluded from the semantic index, so they never appear in retrieval

The rule I follow: anything sensitive should be in both files. Anything large or noisy (build output, lockfiles) only needs to be in the indexing-ignore.

What goes in each file

Both files:

.env
.env.*
*.pem
*.key
*.p12
secrets/
private/
credentials/

Indexing-ignore only:

node_modules/
.next/
dist/
*.lock
package-lock.json

Why this matters more than you think

When you @-mention a file in Cursor chat, .cursorignore is what prevents the AI from reading it. If your .env is only in .cursorindexingignore, the AI still has access to it in chat — it just won't surface it unprompted.

The indexing-ignore is for retrieval hygiene. The chat-ignore is for actual access control. Conflating them leaves a gap.

My baseline setup

I keep a shared template for both files that I copy into every project. The template covers:

  • All common secret file patterns
  • Common certificate and key extensions
  • AWS credential paths
  • SSH key patterns
  • Local database files

The template lives in my Cursor Security Templates AI setup assets — free to use.

One more thing

Neither of these files is a substitute for not committing secrets in the first place. Use environment variables, use a secrets manager, use .gitignore. These Cursor ignore files are the last line of defense against AI tooling exposure, not the first.