I’d like to provide some feedback regarding Cursor’s current network allowlisting requirements for enterprise customers.
Today, Cursor requires organizations to allowlist domains such as:
-
api2.cursor.sh
-
api3.cursor.sh
-
api4.cursor.sh
-
*.api5.cursor.sh
-
repo42.cursor.sh
-
*.authentication.cursor.sh
-
authenticator.cursor.sh
The wildcard requirements in particular are creating significant adoption barriers in large enterprise environments.
Many large organizations have strict security policies that explicitly prohibit wildcard allowlisting. While this may seem like a minor configuration detail, in practice it can completely block adoption of Cursor within enterprise networks.
As an example, one of my clients has more than 80,000 employees. Their stated reason for not rolling out Cursor is the complexity and risk associated with the current allowlisting requirements. Instead, developers are pushed toward competing products that have more predictable network requirements.
On a personal level, every time a new endpoint is introduced, I have to:
-
Open a support ticket with internal IT.
-
Schedule time with a support engineer.
-
Temporarily disable the corporate VPN on my machine.
-
Use Cursor for a period of time while network traffic is monitored.
-
Provide the newly discovered domains to IT.
-
Wait for approval and deployment of updated allowlist rules.
This process is repeated whenever network requirements change and creates considerable operational overhead for both developers and IT departments.
From an enterprise perspective, wildcard-based allowlisting does not scale. It is difficult to audit, difficult to approve, and often impossible to get through security review.
I would strongly encourage the team to reconsider the approach and explore alternatives such as:
-
Stable, versioned API endpoints.
-
A smaller set of long-lived domains.
-
Dedicated enterprise endpoints.
-
A published commitment to endpoint stability.
-
A central routing layer that abstracts internal service changes away from customers.
The current strategy may appear operationally convenient, but I believe it is unintentionally preventing adoption within some of the world’s largest companies.
Given how strong Cursor’s product is, it would be unfortunate if network architecture became the primary reason enterprises choose alternative solutions.
Best