This week: 1% of 499 scanned repos had .cursor/rules.See Radar #4 →

What it is

Project rules are Markdown files under .cursor/rules that Cursor injects into the model’s context. They steer how the assistant behaves in your codebase.

Why use it

Rules are not an access control, but they complement ignore files: you can instruct the assistant to never request or echo secret paths, and to follow your hygiene conventions.

How to set it up

Add a .cursor/rules directory and create one or more .mdc rule files describing conventions and constraints for the project.

Example .cursor/rules
# Hygiene
Never read or echo .env, *.key, or *.pem files.
Treat anything under secrets/ as off-limits.

Official Cursor docs →

What to exclude

Common sensitive categories worth adding to .cursor/rules:

FAQ

Do rules replace .cursorignore?
No. Rules guide behavior but do not enforce access. Use .cursorignore to actually block sensitive files, and rules to reinforce the convention.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.