FOR CURSOR USERS

Catch security bugs at write-time

XploitScan ships a set of Cursor rules that teach the IDE to refuse the most common AI security mistakes — unprotected webhooks, hardcoded secrets, missing auth checks, SQL injection — before they ever land in your codebase.

Recommended

One command

Drops the rules into .cursor/rules/ and .cursorrules. Cursor picks them up automatically.

npx xploitscan cursor install

Requires CLI v1.0.6 or later. npx downloads it on demand.

Manual install

Prefer to copy-paste? Drop the rules below into .cursor/rules/xploitscan-security.mdc in your repo root.

Jump to rules ↓

Why this matters

Cursor and other AI coding tools generate code from training data full of tutorials that show the “happy path” — receive webhook, parse body, update database — and skip the security check because it makes the example longer. So when you ask Cursor to “add Stripe payments,” you get the version without signature verification.

XploitScan catches these on a scan after the fact — but the higher leverage move is to teach Cursor never to write them in the first place. That's what these rules do.

Pair them with the Stripe webhook walkthrough and why traditional SAST tools fail on AI code for the full picture.

The rules

Copy-paste this into .cursor/rules/xploitscan-security.mdc in your project root. Cursor will pick it up the next time you open the project.

# XploitScan Security Rules
# Drop into .cursor/rules/xploitscan-security.mdc

When generating any backend, API, auth, payment, or config code, follow these:

1. WEBHOOKS — always verify signatures with stripe.webhooks.constructEvent
   (or the equivalent for Clerk/GitHub/Resend). Use express.raw, not
   express.json. Never trust event.type from req.body.

2. NO HARDCODED SECRETS — never write API keys, tokens, or passwords as
   string literals. Read from process.env at runtime. .env.example must
   contain placeholders only.

3. EVERY API ROUTE NEEDS AUTH — verify identity before any DB query.
   Check ownership for object access (caller.id === resource.userId).
   IDOR is the #1 vibe-coded vulnerability.

4. NO STRING-CONCATENATED SQL — always use parameterized queries.
   Never `SELECT * FROM users WHERE id = ${id}`.

5. CORS WILDCARDS WITH CREDENTIALS — forbidden. Allowlist exact origins.

6. SSRF — validate user-controlled URLs before fetch/redirect. Reject
   private CIDRs (10/8, 172.16/12, 192.168/16, 127/8, 169.254.169.254).

7. NEVER PUT TOKENS IN LOCALSTORAGE — use HttpOnly secure cookies.

8. NEVER eval/exec WITH USER INPUT — use execFile with arg arrays.

9. SET SECURITY HEADERS BY DEFAULT — CSP, HSTS, X-Frame-Options, etc.

10. dangerouslySetInnerHTML / v-html — sanitize with DOMPurify first.

11. JWT.VERIFY, NEVER JWT.DECODE — pin algorithms.

12. DON'T LOG SECRETS — strip password/token/apiKey before any log call.

If unsure, scan with: npx xploitscan scan .

Catch what slipped through anyway with a scan:

npx xploitscan scan .