Is Cursor safe for production?

Production readiness checklist for Cursor

Not a generic checklist — this is what fails in Cursor apps specifically and therefore what production readiness actually requires:

1. **Secret Detection** — Scans your codebase for any API keys, tokens, or credentials that should be in environment variables.

2. **Code Security** — Analyzes code patterns for common vulnerabilities like injection, XSS, and insecure dependencies.

3. **Database Security** — Tests your database configuration for proper access controls and security policies.

4. **Security Headers** — Verifies your deployed application has proper HTTP security headers configured.

5. **RLS on every table** — Run `select tablename, rowsecurity from pg_tables where schemaname='public'` — any row with `rowsecurity=false` is a production blocker.

Production blockers (must be resolved before launch)

• Prompt Injection in MCP Servers — Review MCP server sources. Avoid untrusted MCP integrations. Watch for suspicious tool calls.
• Workspace Trust Exploitation — Enable Workspace Trust in settings. Review .cursor/ files before opening projects.

Each item here has been observed to cause data exposure in Cursor apps. Shipping to real users without closing these is not a risk calculation — it's a breach waiting.

Go/no-go signal

Run a VAS scan. Zero critical + zero high findings = go. Any critical = absolute no-go. Any high = case-by-case depending on what data the app touches (a portfolio site ≠ a fintech app). This is a more reliable signal than "does it feel ready?" because feelings don't account for prompt injection in mcp servers.