• Tech Dev NotesTech Dev Notes
Apps
  • App lookup
  • App compare
Market movement
  • App charts
  • App rankings
Visual proof
  • App screens
  • App listing screenshots
  • App icons
Build intelligence
  • App tech stacks
  • Tool releases
  • Developers
More
  • X feature flags
  • Grokipedia
  • Blog
  • Follow on X
Skip to content
All content/ filesChangelog

cursor-docs/latest/content · Jun 26, 20:20 UTC

pages/agent/security.txt

TXT·2.6 KB·32 lines

content/

  • pages

    • api.txt
    • approval-agents.txt
    • bugbot.txt
    • cloud-agent.txt
    • customize-cursor.txt
    • enterprise.txt
    • evals.txt
    • extension-api.txt
    • hooks.txt
    • mcp.txt
    • models-and-pricing.txt
    • plugins.txt
    • rules.txt

  • pages/account

    • regions.txt
    • update-access.txt

  • pages/account/enterprise

    • billing-groups.txt
    • cyber-safeguards.txt
    • service-accounts.txt

  • pages/account/organizations

    • organization-admin-api.txt

  • pages/account/pricing

    • request-based-legacy.txt

  • pages/account/teams

    • admin-api.txt
    • ai-code-tracking-api.txt
    • analytics-api.txt
    • analytics.txt
    • dashboard.txt
    • members.txt
    • pricing.txt
    • scim.txt
    • setup.txt
    • sso.txt

  • pages/agent

    • agent-review.txt
    • agents-window.txt
    • debug-mode.txt
    • design-mode.txt
    • overview.txt
    • plan-mode.txt
    • prompting.txt
    • security.txt

  • pages/agent/security

    • run-modes.txt

  • pages/agent/tools

    • browser.txt
    • canvas.txt
    • search.txt
    • terminal.txt

  • pages/cli

    • acp.txt
    • changelog.txt
    • github-actions.txt
    • headless.txt
    • installation.txt
    • mcp.txt
    • overview.txt
    • shell-mode.txt
    • using.txt

  • pages/cli/reference

    • authentication.txt
    • configuration.txt
    • output-format.txt
    • parameters.txt
    • permissions.txt
    • slash-commands.txt
    • terminal-setup.txt

  • pages/cloud-agent

    • automations.txt
    • best-practices.txt
    • capabilities.txt
    • choose-runtime.txt
    • my-machines.txt
    • private-workers.txt
    • security-network.txt
    • self-hosted-cloud-run.txt
    • self-hosted-k8s.txt
    • self-hosted-pool.txt
    • settings.txt
    • setup.txt

  • pages/cloud-agent/api

    • endpoints.txt
    • webhooks.txt

  • pages/configuration

    • worktrees.txt

  • pages/configuration/migrations

    • vscode.txt

  • pages/cursor-review

    • merge-queue.txt
    • overview.txt
    • pr-inbox.txt
    • pr-page.txt

  • pages/cursor-review/cli

    • authentication.txt
    • parameters.txt
    • stacking.txt

  • pages/customizing

    • aws-bedrock.txt

  • pages/enterprise

    • baa.txt
    • compliance-and-monitoring.txt
    • deployment-patterns.txt
    • endpoint-security.txt
    • identity-and-access-management.txt
    • llm-safety-and-controls.txt
    • model-and-integration-management.txt
    • network-configuration.txt
    • organization-groups.txt
    • organizations.txt
    • pooled-usage.txt
    • privacy-and-data-governance.txt
    • private-connectivity.txt
    • security-hardening.txt

  • pages/get-started

    • quickstart.txt

  • pages/integrations

    • azure-devops.txt
    • bitbucket.txt
    • cursor-blame.txt
    • github.txt
    • gitlab.txt
    • jetbrains.txt
    • jira.txt
    • linear.txt
    • microsoft-teams.txt
    • notion.txt
    • slack.txt
    • xcode.txt

  • pages/mcp

    • install-links.txt

  • pages/models

    • claude-4-5-haiku.txt
    • claude-4-5-sonnet.txt
    • claude-4-6-sonnet.txt
    • claude-4-sonnet-1m.txt
    • claude-4-sonnet.txt
    • claude-fable-5.txt
    • claude-opus-4-5.txt
    • claude-opus-4-6-fast.txt
    • claude-opus-4-6.txt
    • claude-opus-4-7-fast.txt
    • claude-opus-4-7.txt
    • claude-opus-4-8.txt
    • cursor-composer-1-5.txt
    • cursor-composer-1.txt
    • cursor-composer-2-5.txt
    • cursor-composer-2.txt
    • gemini-2-5-flash.txt
    • gemini-3-1-pro.txt
    • gemini-3-5-flash.txt
    • gemini-3-flash.txt
    • gemini-3-pro-image-preview.txt
    • gemini-3-pro.txt
    • glm-5-2.txt
    • gpt-5-1-codex-max.txt
    • gpt-5-1-codex-mini.txt
    • gpt-5-1-codex.txt
    • gpt-5-2-codex.txt
    • gpt-5-2.txt
    • gpt-5-3-codex.txt
    • gpt-5-4-mini.txt
    • gpt-5-4-nano.txt
    • gpt-5-4.txt
    • gpt-5-5.txt
    • gpt-5-codex.txt
    • gpt-5-fast.txt
    • gpt-5-mini.txt
    • gpt-5.txt
    • grok-4-20.txt
    • grok-4-3.txt
    • grok-build-0-1.txt
    • kimi-k2-5.txt

  • pages/reference

    • deeplinks.txt
    • ignore-file.txt
    • keyboard-shortcuts.txt
    • permissions.txt
    • plugins.txt
    • sandbox.txt
    • third-party-hooks.txt

  • pages/sdk

    • python.txt
route: /docs/agent/security
title: Agent Security
description: Security considerations for using Cursor Agent

Agent Security
AI can behave unexpectedly due to prompt injection, hallucinations, and other issues. We protect users with guardrails that limit what agents can do. By default, sensitive actions require your manual approval. This document explains our guardrails and what they mean for you.
These controls and behaviors are our defaults. We recommend keeping them enabled.
First-party tool calls
Cursor includes tools that help agents write code: reading files, editing files, running terminal commands, searching the web, and more.
Reading files and searching code don't require approval. Use .cursorignore to block agent access to specific files. Actions that could expose sensitive data require your explicit approval.
Agents can modify workspace files without approval, except for configuration files. Changes save immediately to disk. Always use version control so you can revert changes. Configuration files (like workspace settings) need your approval first.
Warning: If you have auto-reload enabled, agent changes might execute before you can review them.
By default, terminal commands need your approval. To let trusted calls run without prompting, configure Run Modes. They range from a simple allowlist to the Auto-review classifier, and they're best-effort guardrails rather than a hard security boundary.
Third-party tool calls
You can connect external tools using MCP. All MCP connections need your approval. After you approve an MCP connection, each tool call still needs individual approval before running. You can pre-approve specific tools with an MCP allowlist.
Network requests
Attackers could use network requests to steal data. Our tools only make network requests to:
GitHub
Direct link retrieval
Web search providers
Agents cannot make arbitrary network requests with default settings.
Workspace trust
Cursor supports workspace trust, but it's disabled by default. When enabled, it prompts you to choose between normal or restricted mode for new workspaces. Restricted mode breaks AI features. For untrusted repos, use a basic text editor instead.
To enable workspace trust:
Open your user settings.json file
Add the following configuration:
"security.workspace.trust.enabled": true
Organizations can enforce this setting through MDM solutions.
Responsible disclosure
Found a vulnerability? Email [email protected] with details and steps to reproduce.
We acknowledge vulnerability reports within 5 business days. For critical incidents, we notify all users via email.
Previouspages/agent/prompting.txtNextpages/agent/security/run-modes.txt

© 2026 Tech Dev Notes

RSSAboutAPIPrivacyTermsSitemap@techdevnotes