What are Windsurf security best practices?

The best practices specific to Windsurf (not generic OWASP)

Every "security best practices" list tells you to use HTTPS and rotate keys. Those are table stakes. The list below is what actually matters for Windsurf apps, based on the risks that appear in real Windsurf deployments.

1. Keep Windsurf updated to latest version

*Why:* 94+ Chromium vulnerabilities discovered in Windsurf's underlying browser engine. *Do this:* Keep Windsurf updated to latest version. Enable auto-updates.

2. Only install MCP servers from trusted sources

*Why:* Malicious MCP servers can execute arbitrary code on your machine. *Do this:* Only install MCP servers from trusted sources. Audit MCP configurations.

3. Review all Cascade suggestions

*Why:* AI-generated code may contain security vulnerabilities. *Do this:* Review all Cascade suggestions. Never auto-accept security-critical code.

4. Enable Zero Data Retention mode for sensitive projects

*Why:* Without Zero Data Retention, code is sent to Codeium servers. *Do this:* Enable Zero Data Retention mode for sensitive projects.

5. Enable Workspace Trust

*Why:* Malicious repositories with hidden configuration can execute code on open. *Do this:* Enable Workspace Trust. Review project files before opening.

Windsurf-specific: audit every table for RLS before every deploy

The failure mode in Windsurf + Supabase apps is always the same: a table gets added during a feature push, RLS never gets turned on, the full table becomes queryable via the anon key. Bake a pre-deploy check: `select tablename from pg_tables where schemaname = 'public' and not rowsecurity` — the result must be empty.

Verification

Even perfect best practices don't prove themselves — the only way to confirm the list above is implemented is to scan a deployed Windsurf app. VAS probes each of secret detection, code security, database security, security headers by actually attempting the attack, not just reading headers or docs.