Step-by-Step Guide
8 steps

How to Fix API Key Exposure in Cursor-Built Apps

Cursor AI sometimes generates code with API keys inline, especially when you paste keys during development. This guide covers how to audit your codebase, rotate compromised keys, and set up proper secret management to prevent future exposure.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Run a secret scanner on your project

Use an automated tool to find all hardcoded secrets in your codebase.

Code Example
# Install and run gitleaks
npx gitleaks detect --source . --verbose --no-git

# Or use trufflehog
npx trufflehog filesystem --directory . --only-verified
2

Check git history for previously committed secrets

Secrets removed from code may still exist in git history.

Code Example
# Scan git history
npx gitleaks detect --source . --verbose

# Search for specific patterns in history
git log -p --all -S "sk-proj" --diff-filter=A
3

Rotate every compromised key

Generate new keys at each provider dashboard. Revoke the old keys immediately.

Rotate first, then fix the code. Every minute the old key is active, it could be abused.

4

Create type-safe environment variable configuration

Set up a centralized, validated environment variable system so missing secrets fail loudly at startup.

Code Example
// lib/env.ts
import { z } from 'zod'

const envSchema = z.object({
  OPENAI_API_KEY: z.string().min(1, 'OPENAI_API_KEY is required'),
  DATABASE_URL: z.string().url('DATABASE_URL must be a valid URL'),
  STRIPE_SECRET_KEY: z.string().startsWith('sk_', 'Invalid Stripe key'),
  NEXTAUTH_SECRET: z.string().min(32, 'NEXTAUTH_SECRET must be 32+ chars')
})

export const env = envSchema.parse(process.env)

// Now use env.OPENAI_API_KEY instead of process.env.OPENAI_API_KEY
5

Replace all hardcoded keys with environment variable references

Find every instance of a hardcoded key and replace it with the proper environment variable.

Code Example
// Before
const openai = new OpenAI({ apiKey: 'sk-proj-abc123' })

// After
import { env } from '@/lib/env'
const openai = new OpenAI({ apiKey: env.OPENAI_API_KEY })
6

Set up a pre-commit hook to prevent future leaks

Install a git pre-commit hook that scans for secrets before allowing commits.

Code Example
# Install husky and lint-staged
npm install -D husky
npx husky init

# Create pre-commit hook
echo "npx gitleaks protect --staged --verbose" > .husky/pre-commit
7

Add a .cursorrules file with security guidelines

Tell Cursor to never hardcode secrets in generated code.

Code Example
// .cursorrules
// SECURITY: Never hardcode API keys, secrets, or passwords in code.
// Always use environment variables via process.env or the env helper.
// All API keys must be accessed through lib/env.ts.
// Never prefix secrets with NEXT_PUBLIC_.
// Use parameterized queries for all database operations.
8

Verify with a security scan

Deploy and scan your app with VAS to confirm no secrets are exposed.

Run the secret scanner as part of your CI pipeline for continuous protection.

What You'll Achieve

All exposed keys are rotated, hardcoded secrets are replaced with validated environment variables, a pre-commit hook prevents future leaks, and Cursor is configured with security guidelines to generate safer code.

Common Mistakes to Avoid

Mistake

Relying on .gitignore alone to protect .env files

Fix

If .env was committed before adding it to .gitignore, it remains in git history. Scrub history with git-filter-repo or rotate all keys.

Mistake

Not checking AI-generated test files for real keys

Fix

Cursor may embed real keys in test fixtures or mock data. Search test directories too.

Mistake

Using process.env without validation

Fix

Unvalidated env vars can be undefined at runtime, causing cryptic errors. Use Zod to validate all required variables at startup.

Frequently Asked Questions

How do I stop Cursor from generating hardcoded keys?

Create a .cursorrules file in your project root with instructions to always use environment variables. Also avoid pasting real API keys into the Cursor chat.

Is my key compromised if it was only in local code?

If the key was never committed to git, deployed, or shared, it may not be compromised. However, rotating it is still the safest practice.

Should I scrub git history or just rotate the key?

Rotating the key is always sufficient for security. Scrubbing git history is optional and mainly prevents embarrassment. Rotation is faster and more reliable.

Related Guides

Secure Your Cursor AppSecure Environment VariablesAPI Key Rotation GuidePrevent XSS Attacks

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan