Secrets and Credentials

If we are using this in a team setting, sometimes people will initially code using database credentials directly in code before moving them to a dotenv file.

With that said,

  1. Are these credentials then stored anywhere at all? If I ask for a code refactoring, etc that involves the file, etc.

  2. If they aren’t in file but in a dotenv file, are dotenv files safe?

In the above scenarios, are there ways to be protected fully?

Env files are usually already included in the .gitignore file, so Cursor will not index them. When they’re not in the index, they also won’t be used in your messages when you use codebase context. If you don’t have your env file in your .gitignore file, you should ignore your env file by going to the AI sidebar => More => Ignore Files (under Codebase Indexing).

If your private credentials are directly in your code, they will probably be indexed and stored for the codebase context feature. However, putting private credentials directly in your code is generally something you should never do.

Your env file could still be used as context in your prompt if you have it focused and send a chat message. But as long as you have “Privacy mode” enabled, your prompt won’t be stored.

So in short: You should always place your env file in a .gitignore (or explicitly ignore it in the codebase indexing settings), avoid putting private credentials directly in your code, and enable privacy mode (which is enabled by default).

I agree and know this. I’m on a team that has committed plain text AWS credentials. I’d hate to just pull in a repo that I’m unaware of a file containing secrets and having that go anywhere we don’t own.

Most of our resources are VPN-gated.

I would say that I’ve developed with hard coded strings before, but never commit it. Just need to know how to ensure nothing gets saved.