Exposed API Keys in Cursor Projects
Cursor generates code that integrates with APIs, and developers sometimes paste API keys directly into the editor for quick testing. These keys can end up committed to version control or bundled into frontend code.
Scan Your Cursor AppHow It Happens
Developers using Cursor frequently paste API keys into code while testing integrations. Cursor's AI then learns from this context and starts suggesting code that uses the key directly. When the developer later asks Cursor to refactor or create similar integrations, the AI may hardcode the key again. Cursor also generates .env examples with placeholder values that developers replace with real keys. If the .env file isn't properly gitignored, or if the developer uses NEXT_PUBLIC_ prefixed variables for secret keys, the keys end up exposed. Another pattern is Cursor generating test files or scripts that contain real API keys. These files are meant to be temporary but get committed to the repository during rapid development cycles.
Impact
API keys committed to Git repositories are exposed forever, even if later removed from the code. Git history preserves deleted content, and tools like truffleHog or GitLeaks can extract keys from any public repository. Keys exposed in frontend bundles are accessible to anyone who visits the deployed application. For Cursor projects that use AI services, a leaked OpenAI or Anthropic key can result in thousands of dollars in unauthorized usage within hours. Database connection strings and admin keys expose the entire backend infrastructure to unauthorized access, potentially compromising all user data.
How to Detect
Run a secrets scanner like truffleHog or gitleaks on your repository to find any keys committed to Git history. Check for common patterns: sk-, key-, API_KEY=, token=, password=. Review your .env files to ensure they are gitignored. Check frontend environment variables to confirm no secret values use public prefixes (NEXT_PUBLIC_, VITE_, REACT_APP_). Vibe App Scanner analyzes deployed JavaScript bundles for exposed API keys and known secret formats, catching keys that made it past code review.
How to Fix
Add a pre-commit hook that scans for secrets before allowing commits. Tools like Husky with gitleaks-action can block commits that contain API keys. Create a .cursorrules file in your project that instructs Cursor to never hardcode API keys and always use environment variables. Include this rule explicitly: "Never hardcode API keys, tokens, or passwords. Always use process.env." Rotate any key that has been committed to Git, even if you've since removed it. The key exists in Git history and should be considered compromised. Use a secrets manager for production deployments. Store keys in your hosting platform's environment variable settings, not in code or config files.
Code Examples
API integration in a Cursor project
// Cursor suggestion with hardcoded key
const client = new Anthropic({
apiKey: 'sk-ant-api03-abc123...'
})// Using environment variables
const client = new Anthropic({
apiKey: process.env.ANTHROPIC_API_KEY!
})
// .env (gitignored)
// ANTHROPIC_API_KEY=sk-ant-api03-abc123...Frequently Asked Questions
Does Cursor send my API keys to its servers?
Cursor sends code context to its AI model for suggestions. If API keys are in your open files, they may be included in the context sent to the model. Use environment variables instead of hardcoded keys to avoid this.
How do I prevent Cursor from suggesting hardcoded keys?
Add a .cursorrules file with explicit instructions to use environment variables for all secrets. Also set up ESLint rules that flag hardcoded strings matching API key patterns.
Should I rotate keys if they were only in my local Cursor project?
If the keys were never committed to Git or deployed, they are likely safe. However, if you used Cursor's AI features with those keys in context, consider rotating them as a precaution since the code context is sent to the AI model.
Related Security Resources
Is Your App Vulnerable?
VAS automatically scans for exposed api keys and other security issues in Cursor apps. Get actionable results with step-by-step fixes.
Scans from $5, results in minutes.