Code Smart, Code Safe: Securing AI Suggestions in Modern IDEs


In this article, we'll learn how to code securely with AI-assisted IDE tools like GitHub Copilot, Windsurf, and Cursor. These tools can suggest code while keeping it safe. Each one lets you set rules in its own way: Copilot uses a .github/copilot-instructions.md
file, Windsurf needs .windsurfrules
and scratchpad.md
, and Cursor uses a .cursorrules
file. I'll show you how to set these up, share some important rules I use, and give you tips to keep coding securely without losing your flow.
Why Security Matters (Even When You’re Vibing)
Vibe coding is all about that creative flow—think hackathons, passion projects, or just messing around with a new idea. But when you’re moving fast, it’s easy to skip stuff like sanitizing inputs
or securing your database queries
. Next thing you know, your app’s got loopholes big enough for a hacker to drive through. AI tools can help by automatically applying security rules, so you don’t have to break your stride to think about it.
Here’s the deal: Copilot, Windsurf, and Cursor let you set custom instructions to guide their suggestions. Copilot uses a Markdown file to lay down the law, Windsurf splits it between rules and a scratchpad for notes, and Cursor keeps it simple with one YAML file. Let’s break down how to set them up and make sure your code stays safe.
How It Works?
Here’s a simple flowchart showing how I set up secure vibe coding with GitHub Copilot (it’s pretty similar for Windsurf and Cursor, just with different files):
graph LR
A[Start Coding] --> B[Create .github/copilot-instruction.md]
B --> C[Add Security Rules - General e.g. Sanitize Inputs - Language-Specific e.g. DOMPurify]
C --> D[Save File in Repository]
D --> E[Open IDE with Copilot - VS Code Visual Studio GitHub Web]
E --> F[Write Code or Ask Copilot a Question]
F --> G[Copilot Applies Instructions - Generates Secure Code Suggestions]
G --> H[Check References in Response]
H --> I[Includes copilot-instructions.md] & J[Secure Code Generated e.g. Parameterized Queries]
H --> J[Missing Instructions] & K[Refine Instructions - Clarify Rules - Disable Conflicting Settings]
J --> E
I --> K[Continue Vibe Coding with Secure Suggestions]
%% Styling with high-contrast colors
style A fill:#FFD700,stroke:#333,stroke-width:2px,color:#000000
style B fill:#FF6347,stroke:#333,stroke-width:2px,color:#FFFFFF
style C fill:#00CED1,stroke:#333,stroke-width:2px,color:#000000
style D fill:#98FB98,stroke:#333,stroke-width:2px,color:#000000
style E fill:#FFA500,stroke:#333,stroke-width:2px,color:#000000
style F fill:#FF69B4,stroke:#333,stroke-width:2px,color:#000000
style G fill:#4682B4,stroke:#333,stroke-width:2px,color:#FFFFFF
style H fill:#1E90FF,stroke:#333,stroke-width:2px,color:#FFFFFF
style I fill:#32CD32,stroke:#333,stroke-width:2px,color:#000000
style J fill:#FFFFE0,stroke:#333,stroke-width:2px,color:#000000
style K fill:#FF4500,stroke:#333,stroke-width:2px,color:#FFFFFF
This loop keeps you coding while the AI handles security. Windsurf and Cursor follow a similar flow, just with their own files.
Setting Up Your AI IDE Correctly
Let’s get your AI tool ready to keep things secure while you code. Here’s the quick setup for each:
GitHub Copilot
Step 1: In your repo’s root, make a
.github
folder if it’s not there, then add acopilot-instructions.md
file.Step 2: Add your rules in Markdown (I’ll share mine below).
Step 3: Fire up your IDE (like VS Code) with Copilot and start coding. Check the “References” in Copilot’s response to make sure it’s using your rules.
Step 4: If something’s off, tweak the rules and try again.
Windsurf
Step 1: You’ll need two files:
.windsurfrules
in the repo root andscratchpad.md
in a.windsurf
folder (make it if needed).Step 2: Put rules in
.windsurfrules
(key-value style) and notes or tasks inscratchpad.md
.Step 3: Open Windsurf, code away, and check the logs to see if your rules are working.
Step 4: Update
scratchpad.md
with tasks (like[X] Add login page
) to stay organized.
Cursor
Step 1: Create a
.cursorrules
file in your repo’s root.Step 2: Add rules in YAML format (I’ll show you mine later).
Step 3: Open Cursor, start coding, and check the debug panel to confirm the rules are applied.
Step 4: Use the file as a scratchpad too—add todos like
[X] Fix bug
to keep track of stuff.
My Go-To Security Rules
Here are the rules I use to keep my code safe, pulled straight from my GitHub Copilot setup. I’ve adapted them for Windsurf and Cursor too, so you can use them no matter your tool.
General Rules (For All Languages)
These are the basics I always stick to:
Sanitize all user inputs to stop XSS or injection attacks.
Use parameterized queries for database stuff to avoid SQL injection.
Stick to secure authentication like OAuth 2.0 or JWT, and always validate tokens.
Keep secrets in environment variables or a secrets manager—never hardcode them.
Check packages for vulnerabilities or deprecation before using them.
In Copilot’s .github/copilot-instructions.md
, it looks like this:
Always sanitize user inputs to prevent XSS or injection attacks.
Use parameterized queries or prepared statements for all database interactions.
Enforce secure authentication with OAuth 2.0 or JWT, validating tokens properly.
Store secrets in environment variables or a secrets manager, never hardcode them.
Verify packages for vulnerabilities or deprecation before suggesting them.
For Windsurf in .windsurfrules
:
sanitize_inputs: always
use_parameterized_queries: true
authentication: "Use OAuth 2.0 or JWT with validation"
secrets_management: "Use environment variables or secrets manager"
package_validation: "Check for vulnerabilities or deprecation"
And in Cursor’s .cursorrules
:
rules:
sanitize_inputs: true
use_parameterized_queries: true
authentication: "Use OAuth 2.0 or JWT with validation"
secrets_management: "Use environment variables or secrets manager"
package_validation: "Check for vulnerabilities or deprecation"
Language-Specific Rules
JavaScript (Node.js)
JavaScript can be a minefield for stuff like XSS, so I make sure my AI sticks to these:
Sanitize HTML inputs with
DOMPurify
.Validate API inputs with
express-validator
.Set secure headers with
helmet
.Use double quotes and tabs for indentation (keeps my code looking clean while I’m vibing).
For Copilot:
For JavaScript, use double quotes and tabs for indentation.
Sanitize HTML inputs with DOMPurify to prevent XSS.
Validate and sanitize API inputs with express-validator.
Set secure HTTP headers using helmet in Express apps.
For Windsurf in .windsurfrules
:
javascript_indentation: "double quotes, tabs"
javascript_sanitize_html: "Use DOMPurify"
javascript_validate_inputs: "Use express-validator"
javascript_secure_headers: "Use helmet"
For Cursor in .cursorrules
:
javascript:
indentation: "double quotes, tabs"
sanitize_html: "Use DOMPurify"
validate_inputs: "Use express-validator"
secure_headers: "Use helmet"
Python
Python’s super flexible, but I don’t want any surprises with database queries or inputs:
Use
sqlalchemy
orpsycopg2
with parameterized queries for PostgreSQL.Sanitize inputs with
bleach
.Never use
eval()
orexec()
—too risky.
For Copilot:
For Python database queries, use sqlalchemy or psycopg2 with parameterized queries.
Sanitize inputs with bleach to prevent injection attacks.
Never suggest eval() or exec() in Python code.
For Windsurf in .windsurfrules
:
python_database_queries: "Use sqlalchemy or psycopg2 with parameterized queries"
python_sanitize_inputs: "Use bleach"
python_avoid_dangerous: "No eval() or exec()"
For Cursor in .cursorrules
:
python:
database_queries: "Use sqlalchemy or psycopg2 with parameterized queries"
sanitize_inputs: "Use bleach"
avoid_dangerous: "No eval() or exec()"
Java
Java’s big in enterprise stuff, so I make sure APIs and data are locked down:
Use Bazel for dependency management (not Maven).
Use
PreparedStatement
for JDBC queries.Validate inputs with
javax.validation
orHibernate Validator
.Secure REST APIs with Spring Security.
For Copilot:
For Java, use Bazel for dependency management, not Maven.
Use PreparedStatement for all JDBC database queries.
Validate inputs with javax.validation or Hibernate Validator.
Secure REST APIs with Spring Security configurations.
For Windsurf in .windsurfrules
:
java_dependency_management: "Use Bazel, not Maven"
java_database_queries: "Use PreparedStatement"
java_validate_inputs: "Use javax.validation or Hibernate Validator"
java_secure_apis: "Use Spring Security"
For Cursor in .cursorrules
:
java:
dependency_management: "Use Bazel, not Maven"
database_queries: "Use PreparedStatement"
validate_inputs: "Use javax.validation or Hibernate Validator"
secure_apis: "Use Spring Security"
Vibe Coding with Different AI Tools
Here’s how these tools fit into your vibe coding sessions, based on how I use them:
GitHub Copilot: It’s my go-to if I’m already on GitHub. The
.github/copilot-instructions.md
file applies rules automatically, so I can code in VS Code or online without worrying about security. It’s super seamless.Windsurf: I love Windsurf when I’m working on bigger projects. The
.windsurfrules
file sets strict rules, andscratchpad.md
lets me jot down tasks or notes (like[X] Add login page
). Plus, it’s got cool web scraping tools—I can runvenv/bin/python ./tools/web_scraper.py --max-concurrent 3 URL1 URL2 URL3
to grab stuff online without leaving my IDE. Keeps the vibe going!Cursor: Cursor’s great when I want something lightweight. The
.cursorrules
file handles rules and doubles as a scratchpad for todos (like[X] Fix bug
). It keeps me focused while making sure my code’s secure.
Switching Between Tools
The rules stay the same, just change the format. For example, “sanitize HTML with DOMPurify” goes from Markdown in Copilot to key-value in Windsurf to YAML in Cursor. Pick the tool that fits your vibe—Copilot for seamless integration, Windsurf for big projects with research, or Cursor for a simple, focused setup.
Tips to Keep the Vibe Going
Here’s how I make sure security doesn’t kill my coding buzz:
Double-Check AI Suggestions: Treat your AI’s code like a rough draft. Quick scan to make sure it’s following your rules—like, is that query parameterized?
Use Notes for Big Tasks: For Copilot, I use
.prompt.md
files for stuff like React forms. For Windsurf and Cursor, I add tasks toscratchpad.md
or.cursorrules
(e.g.,[X] Build API
). Keeps me organized without breaking my flow.Make Sure Rules Are Working: In Copilot, check the “References” to see if it’s using your rules. Windsurf has logs, and Cursor has a debug panel—use ‘em to confirm everything’s on track.
Test It Out
Try generating some code to see if your rules are working:
Copilot: Ask for a database query in VS Code. It should use
PreparedStatement
for Java if your rules are set right. Check the References to confirm.Windsurf: Generate some JavaScript code and make sure it’s using
DOMPurify
for HTML inputs. Peek at the logs to verify.Cursor: Ask for Python code and ensure there’s no
eval()
orexec()
. The debug panel will tell you if the rules are applied.
If something’s off, tweak your rules and try again. It’s worth the few minutes to keep your code safe.
Let’s Wrap It Up
Vibe coding’s all about that creative high, and with tools like GitHub Copilot, Windsurf, and Cursor, you don’t have to stress about security slowing you down. Set up your rules—whether it’s .github/copilot-instructions.md
, .windsurfrules
and scratchpad.md
, or .cursorrules
—and let your AI handle the heavy lifting. With these tips and rules, you can keep the flow going while building apps that are both awesome and secure.
Ready to give it a shot? Add those rules to your repo, fire up your IDE, and vibe code without worry. Want more on Copilot? Check out the GitHub Docs on Adding repository custom instructions for GitHub Copilot.
Happy coding, friends!
References:
Subscribe to my newsletter
Read articles from Hare Krishna Rai directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Hare Krishna Rai
Hare Krishna Rai
Specialized in uncovering vulnerabilities within software supply chains and dependency ecosystems. Creator of SCAGoat and other open-source security tools. Speaker at Black Hat, DEF CON, and AppSec conferences with research on malicious package detection, dependency confusion, and CI/CD security.