Privacy and Security

Your company just approved Cursor for the engineering team, but the security review flagged three concerns: code is sent to third-party AI providers, agents can execute arbitrary terminal commands, and MCP servers create network connections the team does not fully understand. Your CISO wants answers before the rollout continues.

This is not a hypothetical scenario — it is the standard conversation that happens before any enterprise Cursor deployment. Understanding Cursor’s security model and knowing which controls to enable is essential for using it in production environments with sensitive codebases.

What You’ll Walk Away With

• A clear understanding of what data Cursor sends to AI providers and what stays local
• Privacy mode configuration and its trade-offs
• Terminal command security controls and safe auto-run configuration
• MCP server security considerations
• Enterprise SSO, SCIM, and audit capabilities

What Data Leaves Your Machine

By default, Cursor sends the following to AI model providers:

• Code context: Files and code snippets included in your prompt (via @file mentions, open tabs, or agent exploration)
• Your prompt text: The natural language instructions you type
• Terminal output: When the agent runs commands and reads the output
• Search results: When the agent searches your codebase, the matched code is sent as context

Cursor does not send your entire codebase. It sends only the specific files and code snippets that are relevant to the current prompt. The semantic search index is built locally and queried locally — only the results are included in the AI request.

Privacy Mode

Privacy mode ensures that your code is not stored or used for training by AI providers. Enable it in Cursor Settings > Privacy. When privacy mode is on:

• Code sent to AI models is not retained after the response is generated
• Your prompts and code are not used to train or improve models
• Cursor does not cache your code on its servers beyond what is needed to generate the response

Caution

Privacy mode must be disabled to use Background Agents. Background Agents run in cloud VMs that need access to your repository. If your security requirements prohibit cloud-based code processing, Background Agents are not an option.

Terminal Command Security

Agents can suggest and run terminal commands. By default, every command requires your manual approval before execution. This is the most important security control in Cursor.

Safe Auto-Run Configuration

If you want to enable auto-run for productivity while maintaining security, use the allowlist approach:

Tip

Copy-paste auto-run configuration:

Enable auto-run in Cursor Settings with this prompt:

Allow: test commands (vitest, jest, pytest, npm test, go test), build commands (tsc, npm run build, cargo build), linting (eslint, prettier, ruff), and file reads (cat, ls, head, find, grep).

Deny: anything that modifies git history (git push, git rebase, git reset), anything that deletes files (rm, rmdir), anything that modifies system configuration, anything that makes network requests (curl, wget, ssh), and any command containing sudo.

What “Run Everything” Mode Means

Cursor has a mode that skips all terminal command approval. The official documentation explicitly warns against using it: “Never use ‘Run Everything’ mode, which skips all safety checks.” This is not a feature to enable in any environment where security matters.

The allowlist is best-effort — the documentation acknowledges that bypasses are possible. Treat it as a convenience layer, not a security boundary. Always review agent-generated code before committing, regardless of your auto-run settings.

MCP Server Security

MCP (Model Context Protocol) servers extend Cursor’s capabilities by connecting to external tools and data sources. Each MCP connection requires your explicit approval. After approval, individual tool calls still require per-invocation approval by default.

MCP Security Best Practices

• Only install MCP servers from trusted sources
• Review what capabilities each MCP server provides before approving the connection
• Understand that MCP servers can make network requests — verify where the data goes
• For enterprise environments, maintain an approved list of MCP servers

.cursorignore for Sensitive Files

Use .cursorignore to prevent the agent from accessing sensitive files:

# Secrets and credentials
.env
.env.*
*.pem
*.key
credentials/
secrets/

# Infrastructure credentials
terraform.tfstate
*.tfvars

# CI/CD secrets
.github/workflows/*secrets*

# Database dumps
*.sql.gz
*.dump

This prevents the agent from reading these files during exploration. Combined with .gitignore, it provides defense-in-depth against accidental exposure.

Note

.cursorignore blocks the agent from reading files. It does not prevent the agent from suggesting code that references those files by name. If you ask the agent about your .env configuration, it may hallucinate the contents based on common patterns.

Enterprise Features

SSO and SCIM

Enterprise plans support:

• SSO (Single Sign-On): SAML-based authentication through your identity provider
• SCIM: Automated user provisioning and deprovisioning

These integrate with standard identity providers (Okta, Azure AD, Google Workspace).

Team Rules for Security Policies

Use Team Rules (managed from the Cursor dashboard) to enforce security practices:

Security requirements for all team members:
- Never hardcode API keys, passwords, or connection strings
- All secrets must come from environment variables
- Never run database migration commands in production environments
- Always use parameterized queries, never string concatenation for SQL
- Review all agent-generated code for injection vulnerabilities before committing

Team Rules with the “Enforce” flag cannot be disabled by individual developers.

Workspace Trust

Enable workspace trust for added security when opening untrusted repositories:

{
  "security.workspace.trust.enabled": true
}

When enabled, opening a new repository prompts you to choose between normal and restricted mode. Restricted mode limits AI features. For untrusted repos, Cursor recommends using a basic text editor instead.

When This Breaks

Privacy mode blocks a feature you need. Background Agents require privacy mode to be disabled. If you need cloud-based agents with privacy constraints, evaluate whether the tasks can be done with local Agent mode instead.

Agent reads a file that should be secret. Update .cursorignore immediately. Review the chat history to see what context was sent. Rotate any credentials that may have been exposed.

MCP server makes unexpected network requests. Disable the MCP server immediately in Cursor Settings. Review what data the server had access to. Only reinstall after understanding the server’s behavior.

Auto-run executes something it should not have. Tighten your allowlist. Remember that the allowlist is best-effort. For high-security environments, keep auto-run disabled entirely and approve every command manually.

What’s Next

• Team Collaboration — Enforce security practices across your team
• Custom Rules and Templates — Build rules that embed security requirements
• Performance Optimization — Cursorignore improves both security and performance