Can .gitignore-ed files “still be included in AI requests, such as if you recently viewed a file and then ask a question in the chat”? (I can add a .gitignore-d file I view, or have recently viewed, to context.)
Is new “Agent” Composer feature designed to respect .gitignore? I believe it does not respect it. (If chosen, “Agent” Composer can implicitly access an entire project as context. When asked whether it can access a .gitinore-d directory, it answered yes, and listed the files in that directory. When asked whether it could read the contents of those files, it answered yes and showed the contents of one file and one child directory file. See attached screenshots.)
Can a warning occur before use of a “recently used file” if it is .gitignore-d or .cursorignor-d.
My goal is to avoid sensitive data being accidentally transmitted to Cursor (e.g. if Privacy mode is off).
I feel the .cursorban the Cursor team is considering would be a band-aid. Instead, I propose access to .gitignore-d or .cursorignore-d files be strictly respected. Implementing UI to explicitly override inaccessibility of those files could be acceptable. Allowing “recently viewed” files seems vague and implicit.
I definitely hear this… the counter-argument is that it does harm performance by restricting access to auto-generated code files (like TS headers generated from protobuf) which are really useful for getting things right. It takes a lot of the magic out of it. Additionally the case of the agent, setting up and modifying an .env file is a pretty standard agent workflow.
However, risking the leak of an env file is an extremely big deal.
How would you feel about us auto-banning .env* and a set of other sensitive files (.pem, etc) while we figure out a better solution?
I love the magic. Composer “agent” mode is exciting. I just really don’t want new devs accidentally sending credentials to various third-party servers whether those servers store those cred’s or not (“Privacy mode”).
Such a setting sounds good!
Where could this new setting live? Maybe a new section “Privacy & Security” (to which “Privacy mode” might move). Just having such a section might further highlight Cursor’s dedication to this aspect of the software.[1]
Where would “sensitive files” be defined? I guess a webpage, because I assume neither help text nor tooltip would be adequate to list all entries.
Is “recently viewed” defined anywhere? [Is it whatever VS Code’s logic is for recently opened?]
“Privacy mode”, and the choice of it in onboarding, is what made me feel good about trying Cursor. ↩︎
We sometimes have files under a .secrets folder in our repositories.
We similarly would like to prevent any of those files from being looked at by Cursor AI.
We also have folders where we have the data of our users.
In addition to automatically not touching some common default set of files, we would like to also be able to ban particular folders that contain sensitive data.
.cursorignore Use Case & Caveat
One can commit .cursorignore to a repository, to manage that repository, which allows repository-level control like .gitignore could. Drawback: this is an IDE-specific config. It is preferable to commit config files that all IDE’s can respect i.e. a standard; but AI-IDE–integration is probably not there yet.
Neither Composer, nor Chat, Tab, nor any other Cursor service can read files in .cursorignore. It will not let you add these files to the chat context manually either. If a user wants cursor to read the file, they can remove it from .cursorignore.
In this way it would follow the same security principles that .gitignore exists to serve. i.e. the files are effectively invisible to the program and at no risk of being sent over a network, seen or stored by any other server.
I worry the problem may have now become user experience for those who wouldn’t expect that — if only because it hadn’t worked like that before, so Cursors seeks a backwards-compatible solution.
.gitignore and .cursorignore need to be two different animals. It’s the users responsibility to understand that. Don’t dumb down the system for beginners and penalize experienced programmer’s in the process.
Cursor isn’t a baby sitting service, it’s a productivity tool for professionals.
The newest changelog mentions “team-configurable blocklists”
But there doesn’t seem to be any info about what that actually means.
I emailed cursor and they said they’ll ask product and come back to me, and i posted a thread about it here
I agree, however the proposed .cursorban feature would do this and it might be nice to have the option to have both so that you can disable it entirely for some files/dirs/repos but you can just disable the automatic indexing with .cursorignore
Ignore files: .cursorignore now blocks files from being added in chat or sent up for tab completions, in addition to ignoring them from indexing. We’ve introduced .cursorindexingignore for specifically controlling file indexing.
Files and subdirectories specified by ‘.gitignore’ or ‘.cursorignore’ are ignored. …
While a ‘.cursorignore’ file can prevent files from being indexed, those files may still be included in AI requests, such as if you recently viewed a file and then ask a question in the chat. We are considering adding a ‘.cursorban’ file to address the use case of wanting to block files from being sent up in any request — please make a forum post or reach out at hi@cursor.com if this is a feature that would be interesting to you.
In my opinion, Cursor strongly needs 1.) a Docs page in the header for quick access, and 2.) a dedicated “Secrets Management” docs page that specifically mention the use cases for when one needs to use .gitignore vs .cursorignore vs .cursorindexingignore vs .cursorban, and how best to keep secrets out of cursor.
While it’s nice that docs search is endowed with RAG over the docs, it needs to be endowed the ability to cite references or, preferably, to switch to a classical search mode so we can get citable links to “see the proof.” I asked this question, and all I got was an answer (which looks to be accurate as of 0.46 - great!), but without any citable links to the documentation, which is what I really wanted, so I can link in my team’s documentation on how to use Cursor safely:
@ericzakariasson will you please impress upon the cursor documentation team how critical it is to enterprises and business teams to dispel any possible ambiguity about how secrets can be kept out of cursor.
UPDATE - I see that there’s a Cursor – Ignore Files docs page. I think I understand now, so .cursorindexingignore automatically inherits .gitignore, but .cursorignore doesn’t? That could be clearer. Under Cursor – Ignore Files I see that the files ignored by default include .env, but I definitely saw one instance of the agent looking inside my .env file this weekend on 0.46, even though .env was explicitly specified in .gitignore… which was a PITA since I then had to rotate my secrets (thank goodness I was using API keys scoped to the project). So I take it that the “files ignored by default” actually just should be called “files ignored from indexing by default”?
What happens to content in editor tabs that weren’t saved to a file yet ? Dev often open an editor to temporarily paste a password or other secret information. Is there a way for me to have Cursor ignore these as well ?
Good question. Easy to test. Ask the chat whether it can access, or ask it to do something with the content.
I tested with Editor and Agent, both said they did not have access to the content (not shown) of my unsaved (see black dot next o filename) scratch file.
whether those servers store those cred’s or not (“Privacy mode”).
Yes, unless you use 
Those we’ve reported, which can be mitigated via 
Unclear. Use 
