Privacy and Security in Cursor

Your company just approved Cursor for the engineering team, but the security review flagged three concerns: code is sent to third-party AI providers, agents can execute arbitrary terminal commands, and MCP servers create network connections the team does not fully understand. Your CISO wants answers before the rollout continues.

This is not a hypothetical scenario — it is the standard conversation that happens before any enterprise Cursor deployment. Understanding Cursor’s security model and knowing which controls to enable is essential for using it in production environments with sensitive codebases.

What You’ll Walk Away With

• A clear understanding of what data Cursor sends to AI providers and what stays local
• Privacy mode configuration and its trade-offs
• Terminal command security controls and safe auto-run configuration
• MCP server security considerations
• Enterprise SSO, SCIM, and audit capabilities

What Data Leaves Your Machine

By default, Cursor sends the following to AI model providers:

• Code context: Files and code snippets included in your prompt (via @file mentions, open tabs, or agent exploration)
• Your prompt text: The natural language instructions you type
• Terminal output: When the agent runs commands and reads the output
• Search results: When the agent searches your codebase, the matched code is sent as context

Cursor does not send your entire codebase. It sends only the specific files and code snippets that are relevant to the current prompt. The semantic search index is built locally and queried locally — only the results are included in the AI request.

Privacy Mode

Privacy mode ensures that your code is not stored or used for training by AI providers. Enable it in Cursor Settings > Privacy. When privacy mode is on:

• Code sent to AI models is not retained after the response is generated
• Your prompts and code are not used to train or improve models
• Cursor does not cache your code on its servers beyond what is needed to generate the response

Caution

Cloud Agents (formerly Background Agents) do work with Privacy Mode on — this is a common misconception. They run in isolated cloud VMs on Cursor’s AWS infrastructure; Cursor retains an encrypted copy of your code only while the agent is running, deletes it afterward, and never trains on it. What you trade is local control: the agent auto-runs every terminal command (no per-command approval) and has internet access, which raises prompt-injection and exfiltration risk. If your policy prohibits any cloud storage of source code, do not enable Cloud Agents (or use the stricter max-privacy “Ghost” mode, which disables them) and stay on local Agent mode.

Terminal Command Security

Agents can suggest and run terminal commands. On macOS (>v2.0) and Linux (>v2.3.0-pre), Agent runs them in a workspace-confined sandbox with network access blocked by default; commands execute automatically as long as they stay inside the sandbox. A command that needs to break out of the sandbox — or any command on Windows without WSL or a devcontainer — falls back to requiring manual approval. The Command Allowlist and approval prompts are the most important security controls here: a command that touches the network or escapes the workspace will not run silently.

Safe Auto-Run Configuration

Auto-run is not configured by typing a natural-language prompt — it is a structured Command Allowlist plus a set of toggles under Cursor Settings > Agents > Auto-Run. Set the Auto-Run Mode to “Run in Sandbox”, then add the commands you trust to run outside the sandbox to the Command Allowlist. Anything not on the allowlist is still subject to the sandbox (network blocked, confined to the workspace) or requires approval.

Tip

Command Allowlist entries for a typical app repo:

Add these to the Command Allowlist (Cursor Settings > Agents > Auto-Run):

vitest
jest
pytest
npm test
go test
tsc
npm run build
cargo build
eslint
prettier
ruff

Deliberately leave destructive and network-touching commands off the allowlist — git push, git rebase, git reset, rm, rmdir, curl, wget, ssh, and anything with sudo. With Auto-Run Network Access disabled, the network-disabled sandbox already neutralizes curl/wget/ssh even if a prompt-injection attempt smuggles one in. Keep File-Deletion Protection on so the agent cannot delete files unprompted.

What “Run Everything” Mode Means

Cursor has a mode that skips all terminal command approval. The official documentation explicitly warns against using it: “Never use ‘Run Everything’ mode, which skips all safety checks.” This is not a feature to enable in any environment where security matters.

The allowlist is best-effort — the documentation acknowledges that bypasses are possible. Treat it as a convenience layer, not a security boundary. Always review agent-generated code before committing, regardless of your auto-run settings.

MCP Server Security

MCP (Model Context Protocol) servers extend Cursor’s capabilities by connecting to external tools and data sources. Each MCP connection requires your explicit approval. After approval, individual tool calls still require per-invocation approval by default.

MCP Security Best Practices

• Only install MCP servers from trusted sources
• Review what capabilities each MCP server provides before approving the connection
• Understand that MCP servers can make network requests — verify where the data goes
• For enterprise environments, maintain an approved list of MCP servers

.cursorignore for Sensitive Files

Use .cursorignore to prevent the agent from accessing sensitive files:

# Secrets and credentials
.env
.env.*
*.pem
*.key
credentials/
secrets/

# Infrastructure credentials
terraform.tfstate
*.tfvars

# CI/CD secrets
.github/workflows/*secrets*

# Database dumps
*.sql.gz
*.dump

This prevents the agent from reading these files during exploration. Combined with .gitignore, it provides defense-in-depth against accidental exposure.

Note

.cursorignore blocks the agent from reading files. It does not prevent the agent from suggesting code that references those files by name. If you ask the agent about your .env configuration, it may hallucinate the contents based on common patterns.

Enterprise Features

SSO and SCIM

• SSO (Single Sign-On): SAML 2.0 authentication through your identity provider, with Just-in-Time (JIT) provisioning. Available at no additional cost on both Teams and Enterprise plans. You can manage SSO enforcement from the admin dashboard.
• SCIM: Automated user provisioning and deprovisioning. Enterprise-only, and it requires an active SSO connection — you must configure SSO first.

These integrate with standard identity providers (Okta, Azure AD/Entra, Google Workspace, and more via WorkOS).

Team Rules for Security Policies

Use Team Rules (managed from the Cursor dashboard) to enforce security practices:

Security requirements for all team members:
- Never hardcode API keys, passwords, or connection strings
- All secrets must come from environment variables
- Never run database migration commands in production environments
- Always use parameterized queries, never string concatenation for SQL
- Review all agent-generated code for injection vulnerabilities before committing

Team Rules with the “Enforce” flag cannot be disabled by individual developers.

Workspace Trust

Enable workspace trust for added security when opening untrusted repositories:

{
  "security.workspace.trust.enabled": true
}

When enabled, opening a new repository prompts you to choose between normal and restricted mode. Restricted mode limits AI features. For untrusted repos, Cursor recommends using a basic text editor instead.

When This Breaks

A policy review claims Cloud Agents are off-limits under Privacy Mode. That is outdated — Cloud Agents (formerly Background Agents) run with Privacy Mode on; Cursor keeps an encrypted copy only while the agent runs and never trains on it. The real constraints to raise with your CISO are that Cloud Agents auto-run every command and have internet access. If even transient cloud storage of code is prohibited, keep work on local Agent mode (or the stricter “Ghost” max-privacy mode, which disables cloud agents).

Agent reads a file that should be secret. Update .cursorignore immediately. Review the chat history to see what context was sent. Rotate any credentials that may have been exposed.

MCP server makes unexpected network requests. Disable the MCP server immediately in Cursor Settings. Review what data the server had access to. Only reinstall after understanding the server’s behavior.

Auto-run executes something it should not have. Tighten your allowlist. Remember that the allowlist is best-effort. For high-security environments, keep auto-run disabled entirely and approve every command manually.

What’s Next

• Team Collaboration — Enforce security practices across your team
• Custom Rules and Templates — Build rules that embed security requirements
• Performance Optimization — Cursorignore improves both security and performance