Block accidental leaks with custom logic/regex

Ideas Feature Requests
1

Feature request for product/service

– Other –

Describe the request

Hi!

I think a useful security feature would be allowing us to pass a custom regex (or even a callable function) that can block API requests containing sensitive data before they are sent to Cursor’s servers / LLMs.

Even though .cursorignore already handles files like .env, this kind of interceptor would add another configurable and unit-testable layer of security. It would make it much less likely that credentials or other sensitive values leak into the LLM context through logs, printouts, or accidental inclusion.

For example, a company might configure something like:

r"\b(?:\w+)?(?:API_KEY|CREDENTIALS|SECRET(?:[A-Z0-9_]+)?|PASSWORD)\s*[:=]\s*['"]?\S+"

Which would block patterns such as:

SNOWFLAKE_CREDENTIALS=xxxx
OPENAI_API_KEY=“sk-…”

For companies with unique sensitive terminology, this could also be extended to filter domain-specific patterns, turning Cursor into a safer enterprise-ready setup.

What do you think about this idea?

Operating System (if it applies)

Linux

2

Hey, thanks for the feature request, it’s a great idea, security of confidential data is always important, we’ll consider it.

3

please attention my request

4

This seems like it might be accoplished with Cursor Hooks?

I tried that with beforeSubmitPrompt but didn’t get it to actually trigger the block of requests though.

  • Made sure to have latest version of Cursor (1.7.28) and enable Beta / early features
  • Tried on both Mac and Windows + WSL
# File .cursor/hooks/security-filter.py

#!/usr/bin/env python3
import json
import sys
import re

# Block any prompt containing "abc123"
BLOCKED_PATTERN = r"abc123"

def main():
    try:
        input_data = json.load(sys.stdin)
        prompt = input_data.get("prompt", "")
        
        # Check for the blocked pattern
        if re.search(BLOCKED_PATTERN, prompt, re.IGNORECASE):
            print("SECURITY BLOCK: Pattern 'abc123' detected in prompt!", file=sys.stderr)
            print("Request blocked by security hook.", file=sys.stderr)
            sys.exit(1)  # Block the request
        
        # Allow the request to continue - output the data back
        json.dump(input_data, sys.stdout)
        sys.exit(0)
        
    except Exception as e:
        print(f"Hook error: {e}", file=sys.stderr)
        sys.exit(0)  # Allow on error to avoid breaking Cursor

if __name__ == "__main__":
    main()

# File: .cursor/hooks.json

{
  "version": 1,
  "hooks": {
    "beforeSubmitPrompt": [
      {
        "command": ".cursor/hooks/security-filter.py"
      }
    ]
  }
}

Any ideas? :slight_smile:

Or this Hooks approach is just not mature yet?

E.g. this article seems to suggest this beta feature can’t “block” requests in that way yet: Deep Dive into the new Cursor Hooks | Butler's Log)