Hey wonderful guys at Cursor,
Congratulations on building such an amazing product.
I started using Cursor and I can’t take this thing out of mind about how my .env credentials and code is handled in API request.
Base Settings - File Indexation Allowed, privacy mode on, gitignore has .env listed.
Now in this scenario too, I am able to access the .env file in the chat. So logically this is also sent through your API.
Even though the code is not stored on your end, it is stored for 30 days on OpenAI and Claude.
So I feel this is a risk for anyone using it and just wanted more clarity on how a request goes through Cursor and how it works in this scenario. I also read that there is a base scrubber that does not send the .env secrets to the API as well so wanted more clarity on this.
I would ideally want how the request goes and stored on all participants in the flow so can be assured on my end to use it from now. Would really appreciate a detailed reply.