Hey wonderful guys at Cursor,
Congratulations on building such an amazing product.
I started using Cursor and I can’t take this thing out of mind about how my .env credentials and code is handled in API request.
Base Settings - File Indexation Allowed, privacy mode on, gitignore has .env listed.
Now in this scenario too, I am able to access the .env file in the chat. So logically this is also sent through your API.
Even though the code is not stored on your end, it is stored for 30 days on OpenAI and Claude.
So I feel this is a risk for anyone using it and just wanted more clarity on how a request goes through Cursor and how it works in this scenario. I also read that there is a base scrubber that does not send the .env secrets to the API as well so wanted more clarity on this.
I would ideally want how the request goes and stored on all participants in the flow so can be assured on my end to use it from now. Would really appreciate a detailed reply.
@litecode Is there a way to completely ignore something like a .env file?
I noticed the same thing that @saucr7 did which concerned me as well. That even if the file is in my .gitignore I can still tag the file in the chat which presumably means if you tag an ignored file which has secrets by mistake it will get sent to Cursor’s servers as well as OpenAI/Anthropic’s
I mean “completely ignore” in the sense that I would not like it to ever be sent in any request or leave my local machine at all which would include not being able to tag the file in chat.
This might help prevent mistakes that would result exposing app secrets.
For reference, prior to more recent developments, there was talk of ‘scrubbers’ that worked to prevent unintentional sharing of secrets etc:
So, for me, this communicates the Cursor devs are aware of the surrounding dynamics and creating solutions that will satisfy themselves and other end-users.
