Windsurf

Windsurf Security Best Practices

Use Windsurf IDE safely with these essential security practices. From Cascade agent safety to code review strategies.

Scan Your Windsurf App — Free

Verify your app follows these best practices automatically.

Windsurf and its Cascade agent can dramatically speed up development, but AI-assisted coding requires security awareness. Follow these practices to build securely.

Quick Wins

Set Cascade to 'Ask' mode for commands
Keep code in version control for easy rollback
Review any auth code Cascade has written
Check for hardcoded secrets in recent changes
Configure telemetry to your comfort level

Security Best Practices

#1Use 'Ask' Mode for Sensitive Operations

critical

Configure Cascade to ask before executing potentially dangerous commands. Don't use Auto mode for unknown operations.

Implementation

Set Cascade to 'Ask' mode in settings, review all proposed actions

#2Never Paste Real Credentials in Prompts

critical

Anything in Cascade prompts may be sent to Codeium servers. Use placeholders for all secrets.

Implementation

Use 'YOUR_API_KEY' placeholders, add real values via environment variables

#3Review Cascade's File Modifications

critical

Before accepting, review all file changes Cascade proposes. AI can make unintended modifications.

Implementation

Use version control, review diffs before accepting

#4Configure Telemetry Settings

high

Review what data Windsurf sends. Adjust settings based on your privacy requirements.

Implementation

Check Settings → Privacy to understand and configure telemetry

#5Limit Workspace Scope

high

Only open directories Cascade needs access to. Don't open your entire home folder.

Implementation

Open specific project folders, not broad parent directories

#6Review AI-Generated Security Code

high

Never auto-accept auth, crypto, or security-related code. AI makes subtle mistakes.

Implementation

Manually verify all security-critical code before accepting

Common Mistakes to Avoid

Auto-accepting Cascade changes

Why it's dangerous:

AI may make unintended or harmful changes

How to fix:

Always review changes before accepting, use version control

Pasting real secrets in prompts

Why it's dangerous:

Prompts are sent to Codeium servers

How to fix:

Use placeholder values, configure real secrets via environment variables

Opening entire home directory as workspace

Why it's dangerous:

Gives Cascade access to all your files, including sensitive ones

How to fix:

Open only the project directory you're working on

Verify Your Windsurf App Security

Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.

Scan Your App Free

Frequently Asked Questions

Is Cascade safe to use?

Cascade can be used safely with precautions: use 'Ask' mode, review all changes, don't share secrets, and limit workspace scope. It's a powerful tool that requires careful use.

Does Windsurf send my code to external servers?

Yes, by default Windsurf sends code context to Codeium servers for AI processing. Enterprise plans offer on-premise options. Check privacy settings for configuration options.

Can Cascade delete my files?

Yes, if you allow it. Cascade can execute file operations. Use 'Ask' mode to review destructive operations before they execute. Keep backups and use version control.

Related Windsurf Security Resources

Windsurf Security OverviewWindsurf Security IssuesWindsurf Security RisksIs Windsurf Safe?

Last updated: January 2026