.cursor/rules
Cursor project rules (.cursor/rules) give the assistant persistent, project-specific instructions — including guidance to avoid sensitive paths.
This week: 1% of 499 scanned repos had .cursor/rules.See Radar #4 →
What it is
Project rules are Markdown files under .cursor/rules that Cursor injects into the model’s context. They steer how the assistant behaves in your codebase.
Why use it
Rules are not an access control, but they complement ignore files: you can instruct the assistant to never request or echo secret paths, and to follow your hygiene conventions.
How to set it up
Add a .cursor/rules directory and create one or more .mdc rule files describing conventions and constraints for the project.
# Hygiene
Never read or echo .env, *.key, or *.pem files.
Treat anything under secrets/ as off-limits.What to exclude
Common sensitive categories worth adding to .cursor/rules:
FAQ
- Do rules replace .cursorignore?
- No. Rules guide behavior but do not enforce access. Use .cursorignore to actually block sensitive files, and rules to reinforce the convention.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.