Cursor + Next.js pre-launch security checklist
Cursor is a force multiplier for your patterns, including the bad ones. Run through these thirteen checks and use the AI prompt at the bottom to get Cursor to fix them in one pass.
13 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
.env / .env.production not exposed at the deploy URL
CriticalDetector: exposed-files
.git directory not exposed at /.git/HEAD
CriticalDetector: exposed-files
Source maps not deployed to production
MediumDetector: exposed-files
next.config.js not accessible at /next.config.js
MediumDetector: exposed-files
No NEXT_PUBLIC_ prefix on any secret value
CriticalDetector: js-secrets
CSP header set with nonce, not unsafe-inline
HighDetector: headers
HSTS configured in next.config.js or middleware
HighDetector: headers
Session cookies Secure + HttpOnly + SameSite
HighDetector: cookies
API route CORS allowlists explicit origins
HighDetector: cors
Rate limiting on /api/* sensitive routes
MediumDetector: rate-limit
Middleware enforces auth on protected routes
HighUse the matcher config to scope middleware execution.
Detector: tech-detect
Valid TLS, no mixed content
HighDetector: ssl
Server header does not leak Next.js version
LowDetector: tech-detect
Paste this into Cursor
One prompt that runs the entire checklist as a code review pass.
Audit my Cursor + Next.js app: ensure no .env, .git, source maps, or next.config.js are accessible at deployed URLs, remove any NEXT_PUBLIC_ prefix on secret values, set CSP via middleware using a per-request nonce (not unsafe-inline), set HSTS, configure Secure+HttpOnly+SameSite on session cookies, allowlist explicit origins on /api/* CORS, add rate limiting on auth + write routes via @upstash/ratelimit, ensure middleware enforces auth on protected pages with a proper matcher, confirm TLS validity, and remove server tech disclosure (X-Powered-By header).FAQ
Frequently asked questions
- Will Cursor really fix all of this in one prompt?
- It can fix most of them if your codebase has consistent patterns to follow. For larger fixes (CSP nonce + middleware), break the prompt into individual items — Cursor handles a single concrete change much better than a 12-item omnibus.
- How do I check the deployed URL exposures?
- Run a SafeToShip scan on the deployed URL — the exposed-files scanner tries 89 common paths including .env variants, .git, source maps, and config files. Manual curl works too: curl -I https://yoursite.com/.env
Per-issue depth
Fix guides for this checklist
Exposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read moreMissing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read moreCookie missing Secure flag
Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.
Read moreCORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.