Cursor Production Checklist
Comprehensive checklist for configuring Cursor IDE for production use. Covers security hardening, project rules, indexing optimization, privacy settings, and team standardization.
Pre-Flight Checklist
Authentication & Licensing
[ ] All team members authenticated with correct plan (Pro/Business/Enterprise)
[ ] SSO configured (Business/Enterprise) -- see cursor-sso-integration skill
[ ] Privacy Mode enabled (enforced at team level for Business+)
[ ] Verify plan at cursor.com/settings
Project Rules
[ ] .cursor/rules/ directory created and committed to git
[ ] Core project rule with alwaysApply: true (stack, conventions, standards)
[ ] Language-specific rules with glob patterns (*.ts, *.py, etc.)
[ ] Security rule: "Never suggest hardcoded credentials or secrets"
[ ] No sensitive data (API keys, passwords) in any rule file
Minimum viable rule set:
# .cursor/rules/project.mdc
---
description: "Core project context"
globs: ""
alwaysApply: true
---
# Project: [Name]
Stack: [framework, language, database, etc.]
Package manager: [npm/pnpm/yarn]
## Conventions
- [your team conventions here]
- Never commit console.log statements
- All functions require TypeScript return types
- Use Conventional Commits format
# .cursor/rules/security.mdc
---
description: "Security constraints for AI-generated code"
globs: ""
alwaysApply: true
---
# Security Rules
- NEVER hardcode API keys, passwords, or secrets in code
- NEVER disable HTTPS/TLS verification
- ALWAYS use parameterized queries (no string concatenation for SQL)
- ALWAYS validate and sanitize user input
- Use environment variables for all configuration values
Indexing Configuration
[ ] .cursorignore created at project root
[ ] Excluded: node_modules/, dist/, build/, .next/, vendor/
[ ] Excluded: *.min.js, *.map, *.lock, *.sqlite
[ ] Excluded: .env*, secrets/, credentials/
[ ] .cursorindexingignore created for large-but-useful files
[ ] Verified indexing completes (status bar shows "Indexed")
[ ] Tested @Codebase queries return relevant results
Privacy & Security
[ ] Privacy Mode: ON (Cursor Settings > General > Privacy Mode)
[ ] Verified: cursor.com/settings shows "Privacy Mode: Enabled"
[ ] .cursorignore covers all files with PII or regulated data
[ ] API keys (if BYOK) stored in Cursor settings, NOT in project files
[ ] Team members briefed: AI output is a draft, not production-ready code
AI Configuration
[ ] Default model set (Cursor Settings > Models)
[ ] BYOK configured if required by team (see cursor-api-key-management skill)
[ ] Auto mode evaluated vs fixed model selection
[ ] Tab completion enabled and tested
[ ] Conflicting extensions disabled (Copilot, TabNine, Codeium)
Version Control Integration
[ ] .cursor/rules/ committed to git (team shares rules)
[ ] .cursorignore committed to git
[ ] .cursorindexingignore committed to git
[ ] AI-generated commit messages reviewed before pushing
[ ] Pre-commit hooks run (linting, tests) regardless of AI-generated code
Team Onboarding Template
# Cursor IDE Onboarding
## Setup (15 minutes)
1. Download Cursor from cursor.com/download
2. Sign in with your @company.com email (SSO will redirect)
3. Open our project repository in Cursor
4. Wait for indexing to complete (status bar)
## Daily Workflow
- Cmd+L (Chat): Ask questions, plan features
- Cmd+K (Inline Edit): Fix/refactor selected code
- Cmd+I (Composer): Multi-file changes
- Tab: Accept AI completions while typing
## Our Rules
- Project rules are in .cursor/rules/ -- read them
- Always review AI-generated code before committing
- Start new chats for new tasks (don't continue stale conversations)
- Use @Files for specific context, @Codebase for discovery
## Prohibited
- Do NOT paste credentials into Chat/Composer
- Do NOT disable Privacy Mode
- Do NOT commit AI-generated code without review and testing
Maintenance Schedule
| Task | Frequency | How |
|------|-----------|-----|
| Review and update project rules | Monthly | Audit .cursor/rules/ for stale info |
| Verify Privacy Mode enforcement | Quarterly | Admin dashboard or Cursor Settings |
| Rotate API keys (BYOK) | Quarterly | Provider console + Cursor Settings |
| Update .cursorignore | When project structure changes | Add new build/data directories |
| Review extension list | Monthly | Disable unused, check for conflicts |
| Cursor version update | As released | Help > Check for Updates |
| Team onboarding doc update | When workflow changes | Keep setup steps current |
Production Anti-Patterns
| Anti-Pattern | Risk | Fix | |-------------|------|-----| | No .cursor/rules/ | AI generates inconsistent code | Create rules with team conventions | | No .cursorignore | Secrets indexed, large files slow indexing | Add comprehensive ignore patterns | | Privacy Mode off | Code stored by model providers | Enable at team level (admin dashboard) | | One giant conversation | Context overflow, bad suggestions | Start new chat per task | | Blind "Apply All" | Bugs, wrong patterns committed | Review every diff before applying | | No pre-commit hooks | AI-generated bugs reach main branch | Enforce lint + test hooks |
Enterprise Considerations
- Compliance documentation: Maintain records of Cursor configuration for SOC 2 / ISO 27001 audits
- Change management: Treat
.cursor/rules/changes like infrastructure changes -- PR and review - Access reviews: Quarterly review of team membership and seat assignments
- Data classification: Map .cursorignore to your data classification policy