Must have Cursor rules for TypeScript developers
A comprehensive list of cursor rules that every typescript developer should include
Introduction
"Vibe coding" is how modern developers move fast—writing code with flow, backed by smart AI tools like Cursor. But with great speed comes great responsibility. If you're not careful, AI-generated code can introduce security risks or violate team standards.
That's where Cursor Rules shine. They're markdown-based instructions you give to the AI to guide how it writes code—based on your security policies, coding patterns, and architectural decisions.
This article outlines 10 essential rules every developer should add to Cursor for safer, cleaner, and more consistent AI-assisted coding.
What Are Cursor Rules?
Cursor Rules are markdown files stored in the .cursor/rules directory. These act like AI-facing documentation—telling the AI how to behave in your codebase. You can read more about this here.
There are four types of rules:
- Always: Always applied to AI prompts.
- Auto Attached: Automatically included when related files are in context.
- Agent Requested: AI can decide to include based on need.
- Manual: Included only when you explicitly attach it.
How to create a rule?
You can create a rule by using the New Cursor Rule command or going to Cursor Settings > Rules. This will create a new rule file in the .cursor/rules directory. From settings you can also see a list of all rules and their status.
1. No Eval or Function Constructor
Prevent use of eval() and new Function(), which can lead to remote code execution. Read more about this vulnerability here.
Rule Configuration
---
description: Prevent usage of eval() and Function constructor
globs:
- "**/*.ts"
- "**/*.js"
alwaysApply: false
---
- Never use `eval()` or `new Function()` — they enable arbitrary code execution
- Use safe alternatives like JSON parsing or static methods
@no-eval.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-eval",
description: "Disallow use of eval and Function constructor",
match: /\b(eval|Function)\s*\(/g,
message: "Avoid using eval() or new Function() — they are security risks.",
severity: "error",
});
2. No Disabled Linter or Security Comments
Block eslint-disable or similar comments that suppress important warnings.
Rule Configuration
---
description: Detect bypassing security/linter rules with comments
globs:
- "**/*.ts"
- "**/*.js"
alwaysApply: false
---
- Avoid disabling security rules with comments like `eslint-disable`, `ts-ignore`, etc.
- If necessary, document why the bypass is justified and reviewed
@no-linter-disable.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-linter-disable",
description: "Warn against bypassing security or linter rules",
match: /\/\/\s*(eslint-disable|ts-ignore|@ts-ignore|nosec)/g,
message: "Avoid disabling linter or security rules unless absolutely necessary and documented.",
severity: "warning",
});
3. No Secrets in Console Logs
Ensure secrets or tokens aren’t accidentally printed in console.log statements.
Rule Configuration
---
description: Prevent leaking secrets via console logs
globs:
- "**/*.ts"
- "**/*.js"
alwaysApply: false
---
- Never log secrets, tokens, passwords or auth headers
- Mask or omit sensitive information before logging
@no-secret-logs.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-secret-logs",
description: "Prevent logging sensitive data",
match: /console\.(log|warn|error|debug)\((.*password|token|secret|authorization).*?\)/gi,
message: "Avoid logging sensitive data like tokens or passwords.",
severity: "error",
});
4. Missing Authentication on API Routes
Detect routes missing required auth middleware like requireAuth.
Rule Configuration
---
description: Detect routes without authentication middleware
globs:
- "src/routes/**/*.ts"
alwaysApply: false
---
- All protected routes must include auth middleware (e.g., `requireAuth`)
- Add exceptions only for explicitly public endpoints
@missing-auth.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "missing-auth",
description: "Detect routes without authentication middleware",
match: /router\.(get|post|put|delete)\(['\"`][^'\"`]+['\"`],\s*(?!requireAuth)/g,
message: "API route missing authentication middleware like `requireAuth`.",
severity: "error",
});
5. No Hardcoded Credentials
Catch embedded API keys, tokens, or passwords in the source code.
Rule Configuration
---
description: Detect hardcoded credentials like API keys, tokens, and secrets
globs:
- "**/*.ts"
- "**/*.js"
- "**/*.env"
alwaysApply: false
---
- Never commit hardcoded API keys, secrets, or tokens in your code
- Use environment variables or a secrets manager like AWS Secrets Manager or Vault
- Common patterns include `AKIA...`, `sk_live_...`, `ghp_...`, and JWT-like tokens
@hardcoded-secrets.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "detect-hardcoded-credentials",
description: "Detects hardcoded API keys, tokens, and secrets",
match: /['"]?(AKIA[0-9A-Z]{16}|sk_live_[a-zA-Z0-9]{24,}|ghp_[a-zA-Z0-9]{36,}|eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+)['"]?/g,
message: "Hardcoded credential detected. Move this to an environment variable or a secure secrets manager.",
severity: "error",
});
6. No Insecure HTTP URLs
Flag non-HTTPS endpoints that could expose data to man-in-the-middle attacks.
Rule Configuration
---
description: Detect insecure HTTP URLs in code
globs:
- "**/*.ts"
- "**/*.js"
- "**/*.env"
alwaysApply: false
---
- Never use `http://` URLs in production — they expose data to man-in-the-middle attacks
- Use `https://` for all API calls and external services
- Exceptions should be explicitly reviewed
@no-insecure-urls.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-insecure-urls",
description: "Disallow use of insecure http:// URLs",
match: /http:\/\/[^\s'\"]+/g,
message: "Avoid using insecure HTTP URLs. Use HTTPS instead.",
severity: "warning",
});
7. No Wildcard CORS
Disallow Access-Control-Allow-Origin: * which opens APIs to abuse. Read more about this here
Rule Configuration
---
description: Block use of wildcard CORS (`*`)
globs:
- "**/*.ts"
- "**/*.js"
- "**/*.env"
alwaysApply: false
---
- Using `*` in CORS config allows any origin to access your API
- Always restrict allowed origins to known domains in production
@no-wildcard-cors.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-wildcard-cors",
description: "Disallow wildcard CORS (*) usage",
match: /['"]\*['"]\s*(,|\)|})/g,
message: "Wildcard CORS detected. Avoid using '*' in Access-Control-Allow-Origin.",
severity: "error",
});
8. No Default Exports for Secrets
Prevent exporting secret values as defaults from config or env files.
Rule Configuration
---
description: Prevent default-exporting secret values
globs:
- "**/*.ts"
- "**/*.js"
alwaysApply: false
---
- Secrets or tokens should never be exported from files directly
- Use secure config loaders like dotenv, or Vault clients
@no-default-export-secret.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-default-export-secret",
description: "Detect default exports of credentials or secrets",
match: /export\s+default\s+['"].*(secret|token|key)['"]/i,
message: "Avoid exporting secrets or tokens directly from modules.",
severity: "error",
});
9. No Hardcoded JWT Secrets
Detect inline JWT secret keys that should be securely stored in environment variables.
Rule Configuration
---
description: Detect hardcoded JWT secrets
globs:
- "**/*.ts"
- "**/*.js"
alwaysApply: false
---
- JWT secrets must be loaded from secure environment variables
- Avoid leaking them in source code — it invalidates all tokens
@no-hardcoded-jwt-secret.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-hardcoded-jwt-secret",
description: "Prevent hardcoded JWT secret values",
match: /secret\s*:\s*['"][a-zA-Z0-9-_]{16,}['"]/g,
message: "Hardcoded JWT secret detected. Use an env variable instead.",
severity: "error",
});
10. No Open Redirects
Catch res.redirect(req.query.url) patterns that can lead to phishing via open redirects.
Rule Configuration
---
description: Prevent open redirect vulnerabilities
globs:
- "**/*.ts"
- "**/*.js"
alwaysApply: false
---
- Avoid redirecting to user-controlled URLs (`res.redirect(req.query.url)`)
- Always validate or whitelist redirect destinations
@no-open-redirects.ts
Rule Implementation
import { Rule } from "cursor-rules";
export default new Rule({
name: "no-open-redirects",
description: "Detect open redirect vulnerabilities",
match: /res\.redirect\((req\.query\.url|req\.body\.redirect_to)\)/g,
message: "Potential open redirect detected. Sanitize or validate redirect URLs.",
severity: "error",
});
On This Page
- Introduction
- What Are Cursor Rules?
- How to create a rule?
- 1. No Eval or Function Constructor
- 2. No Disabled Linter or Security Comments
- 3. No Secrets in Console Logs
- 4. Missing Authentication on API Routes
- 5. No Hardcoded Credentials
- 6. No Insecure HTTP URLs
- 7. No Wildcard CORS
- 8. No Default Exports for Secrets
- 9. No Hardcoded JWT Secrets
- 10. No Open Redirects