Legal
Security
How Cursorist protects your data and the platform infrastructure.
Security is a core design principle of Cursorist. This page describes the measures in place to protect your data and the platform.
Authentication
- GitHub OAuth only — No passwords are stored. Authentication is delegated entirely to GitHub via Supabase Auth.
- Session management — Sessions are managed by Supabase using secure, HTTP-only cookies.
- API keys — Keys are stored as SHA-256 hashes. The raw key is shown once at generation time and never stored.
Database Security
Row Level Security (RLS)
Every table in the database has RLS enabled. Access rules enforce:
- Users can only read their own private data (installs, favorites, API keys).
- Organization and team data is scoped to members.
- Published plugins are publicly readable; unpublished plugins are restricted to team members.
- Only authors can modify their own plugins and versions.
- Only platform admins can manage site configuration and notifications.
Data Encryption
- In transit — All connections use TLS 1.2+.
- At rest — Supabase encrypts database storage at rest using AES-256.
Application Security
Input Validation
- All user input is validated server-side before database writes.
- SQL injection is prevented by Supabase's parameterized query API — raw SQL is never concatenated.
- XSS is mitigated by React's default output escaping and Content Security Policy headers.
Rate Limiting
- API endpoints are rate-limited to prevent abuse.
- GitHub API calls are throttled to stay within token limits.
Deeplinks
- Cursor deeplinks embed content directly in the URL — no server-side fetch is triggered by Cursor.
- Users always see a confirmation dialog before any file is written to their project.
- Content is capped at approximately 8,000 characters to prevent oversized payloads.
Infrastructure
| Layer | Provider | Security Feature |
|---|---|---|
| Hosting | Vercel | Automatic HTTPS, DDoS protection, edge network |
| Database | Supabase (AWS) | RLS, encrypted storage, automated backups |
| Auth | Supabase Auth | OAuth 2.0, PKCE flow, secure session cookies |
| DNS | Vercel | DNSSEC support |
Plugin Security
- All plugins published to the OSS repository are reviewed by the platform admin before becoming publicly available.
- Plugin assets are stored with content hashes (SHA) for integrity verification.
- Version yanking allows rapid removal of compromised versions without deleting history.
Vulnerability Reporting
If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue.
- Email or contact us privately via the method listed in the repository's
SECURITY.mdfile. - We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days.
Compliance
- The platform is designed with GDPR principles in mind: data minimization, purpose limitation, and user rights.
- Users can export and delete their data at any time via Settings.
- See our Privacy Policy and Data Use pages for full details.