Questions on .gitignore, .cursorignore, .cursorban

I read Cursor - Build Software Faster and Security | Cursor - The AI Code Editor. I performed tests. I have concerns.

  1. Can .gitignore-ed files “still be included in AI requests, such as if you recently viewed a file and then ask a question in the chat”? (I can add a .gitignore-d file I view, or have recently viewed, to context.)

    Related Post I Found
  2. Is new “Agent” Composer feature designed to respect .gitignore? I believe it does not respect it. (If chosen, “Agent” Composer can implicitly access an entire project as context. When asked whether it can access a .gitinore-d directory, it answered yes, and listed the files in that directory. When asked whether it could read the contents of those files, it answered yes and showed the contents of one file and one child directory file. See attached screenshots.)

    Screenshots


  3. What security gotchas does “Agent” Composer introduce? I do not see the new “Agent” Composer feature mentioned on either page I read.

  4. What files are considered by Cursor as “recently viewed files” and for how long?

    Related Post I Found
  5. Can a warning occur before use of a “recently used file” if it is .gitignore-d or .cursorignor-d.

My goal is to avoid sensitive data being accidentally transmitted to Cursor (e.g. if Privacy mode is off).

I feel the .cursorban the Cursor team is considering would be a band-aid. Instead, I propose access to .gitignore-d or .cursorignore-d files be strictly respected. Implementing UI to explicitly override inaccessibility of those files could be acceptable. Allowing “recently viewed” files seems vague and implicit.

9 Likes

Thanks for bringing this up. Very concerning and the show-stopper for us to use Cursor. Very bad, because the tool would be great, if it was secure.

1 Like

I definitely hear this… the counter-argument is that it does harm performance by restricting access to auto-generated code files (like TS headers generated from protobuf) which are really useful for getting things right. It takes a lot of the magic out of it. Additionally the case of the agent, setting up and modifying an .env file is a pretty standard agent workflow.

However, risking the leak of an env file is an extremely big deal.

How would you feel about us auto-banning .env* and a set of other sensitive files (.pem, etc) while we figure out a better solution?

I’m thinking a ternary setting

  • Block all .gitignore
  • Block sensitive files (default)
  • Allow everything
3 Likes

I love the magic. Composer “agent” mode is exciting. I just really don’t want new devs accidentally sending credentials to various third-party servers :sweat_smile: whether those servers store those cred’s or not (“Privacy mode”).

Such a setting sounds good!

  1. Where could this new setting live? Maybe a new section “Privacy & Security” (to which “Privacy mode” might move). Just having such a section might further highlight Cursor’s dedication to this aspect of the software.[1]
  2. Where would “sensitive files” be defined? I guess a webpage, because I assume neither help text nor tooltip would be adequate to list all entries.
  3. Is “recently viewed” defined anywhere? [Is it whatever VS Code’s logic is for recently opened?]

  1. “Privacy mode”, and the choice of it in onboarding, is what made me feel good about trying Cursor. ↩︎

3 Likes

We sometimes have files under a .secrets folder in our repositories.

We similarly would like to prevent any of those files from being looked at by Cursor AI.

We also have folders where we have the data of our users.

In addition to automatically not touching some common default set of files, we would like to also be able to ban particular folders that contain sensitive data.

1 Like

:thinking: .cursorignore Use Case & Caveat
One can commit .cursorignore to a repository, to manage that repository, which allows repository-level control like .gitignore could. Drawback: this is an IDE-specific config. It is preferable to commit config files that all IDE’s can respect i.e. a standard; but AI-IDE–integration is probably not there yet.

Update: Google/Android has .aiexclude, and there is a small effort for GitHub to adopt that.

Update: (new topic) Proposal: `.aiexclude` an IDE-agnostic `.cursorignore`.

  1. Will Cursor (a VS Code fork) respect GitHub Copilot Content exclusion?
1 Like

hey! just wanted to share that we’re working on this. not ready yet, but getting there. will let you know!

4 Likes

don’t have that much progress to share yet unfortunately, but we’ll make sure to share once there is!

1 Like

My preference, for what it’s worth:

Neither Composer, nor Chat, Tab, nor any other Cursor service can read files in .cursorignore. It will not let you add these files to the chat context manually either. If a user wants cursor to read the file, they can remove it from .cursorignore.

In this way it would follow the same security principles that .gitignore exists to serve. i.e. the files are effectively invisible to the program and at no risk of being sent over a network, seen or stored by any other server.

That’s certainly how I had expected it to work.

I worry the problem may have now become user experience for those who wouldn’t expect that — if only because it hadn’t worked like that before, so Cursors seeks a backwards-compatible solution. :man_shrugging:

1 Like

.gitignore and .cursorignore need to be two different animals. It’s the users responsibility to understand that. Don’t dumb down the system for beginners and penalize experienced programmer’s in the process.

Cursor isn’t a baby sitting service, it’s a productivity tool for professionals.

3 Likes

The newest changelog mentions “team-configurable blocklists”
But there doesn’t seem to be any info about what that actually means.
I emailed cursor and they said they’ll ask product and come back to me, and i posted a thread about it here

@ericzakariasson Do you have any info on this?

I agree, however the proposed .cursorban feature would do this and it might be nice to have the option to have both so that you can disable it entirely for some files/dirs/repos but you can just disable the automatic indexing with .cursorignore

It is mentioned here: Security | Cursor - The AI Code Editor

I’ve done it but the more the better so it’s worth sending an email to them saying you would appreciate the feature.

.cursorban capabilities (probably just under .cursorignore) will go out in 0.46 if nothing unexpected comes up!

3 Likes

@ericzakariasson 0.46 is out and changelog is here - Changelog - Feb 19, 2025 | Cursor - The AI Code Editor | Cursor - The AI Code Editor
Here’s what I see:

  • Ignore files: .cursorignore now blocks files from being added in chat or sent up for tab completions, in addition to ignoring them from indexing. We’ve introduced .cursorindexingignore for specifically controlling file indexing.

Given the language at Security | Cursor - The AI Code Editor, I’m not sure I understand the new intended state of how to manage secrets:

Files and subdirectories specified by ‘.gitignore’ or ‘.cursorignore’ are ignored. …

  • While a ‘.cursorignore’ file can prevent files from being indexed, those files may still be included in AI requests, such as if you recently viewed a file and then ask a question in the chat. We are considering adding a ‘.cursorban’ file to address the use case of wanting to block files from being sent up in any request — please make a forum post or reach out at hi@cursor.com if this is a feature that would be interesting to you.

In my opinion, Cursor strongly needs 1.) a Docs page in the header for quick access, and 2.) a dedicated “Secrets Management” docs page that specifically mention the use cases for when one needs to use .gitignore vs .cursorignore vs .cursorindexingignore vs .cursorban, and how best to keep secrets out of cursor.

While it’s nice that docs search is endowed with RAG over the docs, it needs to be endowed the ability to cite references or, preferably, to switch to a classical search mode so we can get citable links to “see the proof.” I asked this question, and all I got was an answer (which looks to be accurate as of 0.46 - great!), but without any citable links to the documentation, which is what I really wanted, so I can link in my team’s documentation on how to use Cursor safely:

@ericzakariasson will you please impress upon the cursor documentation team how critical it is to enterprises and business teams to dispel any possible ambiguity about how secrets can be kept out of cursor.

UPDATE - I see that there’s a Cursor – Ignore Files docs page. I think I understand now, so .cursorindexingignore automatically inherits .gitignore, but .cursorignore doesn’t? That could be clearer. Under Cursor – Ignore Files I see that the files ignored by default include .env, but I definitely saw one instance of the agent looking inside my .env file this weekend on 0.46, even though .env was explicitly specified in .gitignore… which was a PITA since I then had to rotate my secrets (thank goodness I was using API keys scoped to the project). So I take it that the “files ignored by default” actually just should be called “files ignored from indexing by default”?

I’ve tested version 0.46.x. (Great improvements!)

At least together, the .cursorignore and .cursorindexingignore work as I expect.


I don’t see .cursor(…)ignore inherit from .gitignore

— or I don’t understand how it works.

My concerns have a solution[1]. My original questions have answers.

Thank you @msfeldstein, @ericzakariasson, and Cursor.


  1. Can .gitignore-ed files “still be included in AI requests, such as if you recently viewed a file and then ask a question in the chat”?
  1. :white_check_mark: :warning: Yes, unless you use .cursor(…)ignore.
  1. Is new “Agent” Composer feature designed to respect .gitignore?
  1. :white_check_mark: :warning: Yes, but read the docs and test.
  1. What security gotchas does “Agent” Composer introduce?
  1. :slightly_smiling_face: Those we’ve reported, which can be mitigated via .cursor…ignore files.
  1. What files are considered by Cursor as “recently viewed files” and for how long?
  1. :x: Unclear. Use .cursor(…)ignore to control Cursor access.
  1. Can a warning occur before use of a “recently used file” if it is .gitignore-d or .cursorignor-d.
  1. :white_check_mark: It could, but to resolve the security concern behind this question, .cursor(…)ignore should be used to prevent access to such files.

  1. version 0.46.x ↩︎

1 Like

What happens to content in editor tabs that weren’t saved to a file yet ? Dev often open an editor to temporarily paste a password or other secret information. Is there a way for me to have Cursor ignore these as well ?

1 Like

Good question. Easy to test. Ask the chat whether it can access, or ask it to do something with the content.

I tested with Editor and Agent, both said they did not have access to the content (not shown) of my unsaved (see black dot next o filename) scratch file.