← All guides

Guide · 3 min

Install XploitScan rules in Cursor

Instead of scanning AFTER Cursor generates vulnerable code, teach Cursor to refuse the most common security mistakes at write-time. One command, zero ongoing effort.

1

Run the install command

From inside your project directory, drop the XploitScan ruleset into Cursor's config:

bash
npx xploitscan cursor install

Creates .cursor/rules/xploitscan-security.mdc (modern format) and .cursorrules (legacy fallback). Idempotent — safe to re-run.

2

Verify the files exist

Check that both files landed where Cursor expects them. On macOS / Linux:

bash
ls -la .cursor/rules/xploitscan-security.mdc .cursorrules

Should show both files. If either is missing, re-run with --force.

3

Restart Cursor (or reopen the project)

Cursor picks up new rule files on project load. If you were already in the project, either restart Cursor or close + reopen the workspace folder. You don't need to tell Cursor about the rules — they're auto-detected.

4

Test that it worked

Ask Cursor to generate a Stripe webhook handler. Before the XploitScan rules were installed, Cursor would hand you a handler that reads req.body directly. After the rules are in place, the same prompt should produce a handler that usesexpress.raw() and stripe.webhooks.constructEvent() with signature verification.

Try this prompt in Cursor chat

“Add a Stripe webhook handler at /api/webhooks/stripe that increments a user's credit balance on checkout.session.completed.”

The generated code should include stripe.webhooks.constructEvent and express.raw. If it doesn't, the rules aren't loaded — restart Cursor.

What's in the ruleset

Twelve rules covering the patterns XploitScan catches most often in AI-generated code:

  1. Webhook signature verification (Stripe, Clerk, GitHub, Resend, SendGrid, Supabase)
  2. No hardcoded secrets — everything via process.env
  3. Explicit auth check on every API route; IDOR protection via ownership check
  4. Parameterized SQL queries — no string concatenation
  5. CORS allowlist, never wildcard-with-credentials
  6. SSRF protection — reject private CIDRs on user-controlled URLs
  7. Session tokens in HttpOnly cookies, never localStorage
  8. No eval / new Function / exec with user input
  9. Security headers by default (CSP, HSTS, X-Frame-Options)
  10. DOMPurify before dangerouslySetInnerHTML / v-html
  11. jwt.verify with pinned algorithms, never jwt.decode
  12. Strip secrets / tokens before logging

The full ruleset is on the /cursor page if you want to copy-paste manually.

What the .mdc file looks like

For reference — this is the start of .cursor/rules/xploitscan-security.mdc:

.cursor/rules/xploitscan-security.mdc
---
description: XploitScan security rules for AI-generated code
globs:
  - "**/*.js"
  - "**/*.ts"
  - "**/*.py"
alwaysApply: true
---

# XploitScan Security Rules

1. WEBHOOKS MUST BE SIGNATURE-VERIFIED
   - Stripe: use stripe.webhooks.constructEvent with the raw body
   - Never trust event.type from req.body

2. NO HARDCODED SECRETS
   - Read from process.env at runtime
   ...

Troubleshooting

  • “Command not found: npx”

    Install Node 20+ from nodejs.org, then retry.

  • “File already exists”

    Re-run with --force to overwrite an existing ruleset.

  • Cursor doesn't seem to pick up the rules

    Fully quit Cursor (Cmd-Q, not just close the window) and reopen the project. The rule files are loaded at project-open time.

  • I'm on an older Cursor version without .mdc support

    Use npx xploitscan cursor install --legacy-only to only write .cursorrules.

Rules are in place. Now run a scan to catch anything Cursor wrote before you installed them:

Next: Scan from the terminal →