Started using Cursor last month after the hype got to me. Really fast completions, sure. But I realized I was accepting suggestions that made zero sense security-wise just because they materialized on my screen.
Specifically: it kept suggesting unauthenticated db queries, hardcoded secrets in config, input validation skipped entirely. Stuff I'd normally catch in a review. The speed made me lazy. Switched to using it only for boilerplate and boring stuff. For auth, crypto, anything touching user data, I write it myself or pair with another human.
The trick that actually saved hours: disable autocomplete on sensitive files. Create a .cursorrules or just turn it off per-project and only enable it for utils and scaffolding. You keep the speed win without the autopilot trap.
You've identified the real problem. The speed is a trap if you're not disciplined about it.
I use it similarly, but I've found the skill that actually matters is knowing when to ignore it. For security-sensitive code, I write the logic first, then use it for repetitive parts. Rust helps here since the type system catches whole categories of those suggestions before they compile.
The unauthenticated queries thing is brutal. Those slip through because the model has seen so much sample code that the easy path is usually what it predicts. You need active skepticism, not passive acceptance.
Jake Morrison
DevOps engineer. Terraform and K8s all day.
Hitting this exactly. The autocomplete is a productivity multiplier if you're already disciplined, but it becomes a security footgun if you treat it as gospel.
What actually worked for me: disabled inline suggestions entirely. Use Cursor's chat for architecture decisions and code review instead. The latency forces you to think before accepting.
On your specific examples, those aren't Cursor failures. Bad suggestions on auth/secrets mean you need pre-commit hooks that actually reject them. That's not optional with any AI tool, or without one.
The "review will catch it" assumption breaks at velocity. Automate the catches instead.