Code Smart, Code Safe: Securing AI Suggestions in Modern IDEs

In this article, we'll learn how to code securely with AI-assisted IDE tools like GitHub Copilot, Windsurf, and Cursor. These tools can suggest code while keeping it safe. Each one lets you set rules in its own way: Copilot uses a .github/copilot-instructions.md file, Windsurf needs .windsurfrules and scratchpad.md, and Cursor uses a .cursorrules file. I'll show you how to set these up, share some important rules I use, and give you tips to keep coding securely without losing your flow.

Why Security Matters (Even When You’re Vibing)

Vibe coding is all about that creative flow—think hackathons, passion projects, or just messing around with a new idea. But when you’re moving fast, it’s easy to skip stuff like sanitizing inputs or securing your database queries. Next thing you know, your app’s got loopholes big enough for a hacker to drive through. AI tools can help by automatically applying security rules, so you don’t have to break your stride to think about it.

Here’s the deal: Copilot, Windsurf, and Cursor let you set custom instructions to guide their suggestions. Copilot uses a Markdown file to lay down the law, Windsurf splits it between rules and a scratchpad for notes, and Cursor keeps it simple with one YAML file. Let’s break down how to set them up and make sure your code stays safe.

How It Works?

Here’s a simple flowchart showing how I set up secure vibe coding with GitHub Copilot (it’s pretty similar for Windsurf and Cursor, just with different files):

graph LR
A[Start Coding] --> B[Create .github/copilot-instruction.md]
B --> C[Add Security Rules - General e.g. Sanitize Inputs - Language-Specific e.g. DOMPurify]
C --> D[Save File in Repository]
D --> E[Open IDE with Copilot - VS Code Visual Studio GitHub Web]
E --> F[Write Code or Ask Copilot a Question]
F --> G[Copilot Applies Instructions - Generates Secure Code Suggestions]
G --> H[Check References in Response]
H --> I[Includes copilot-instructions.md] & J[Secure Code Generated e.g. Parameterized Queries]
H --> J[Missing Instructions] & K[Refine Instructions - Clarify Rules - Disable Conflicting Settings]
J --> E
I --> K[Continue Vibe Coding with Secure Suggestions]

%% Styling with high-contrast colors
style A fill:#FFD700,stroke:#333,stroke-width:2px,color:#000000
style B fill:#FF6347,stroke:#333,stroke-width:2px,color:#FFFFFF
style C fill:#00CED1,stroke:#333,stroke-width:2px,color:#000000
style D fill:#98FB98,stroke:#333,stroke-width:2px,color:#000000
style E fill:#FFA500,stroke:#333,stroke-width:2px,color:#000000
style F fill:#FF69B4,stroke:#333,stroke-width:2px,color:#000000
style G fill:#4682B4,stroke:#333,stroke-width:2px,color:#FFFFFF
style H fill:#1E90FF,stroke:#333,stroke-width:2px,color:#FFFFFF
style I fill:#32CD32,stroke:#333,stroke-width:2px,color:#000000
style J fill:#FFFFE0,stroke:#333,stroke-width:2px,color:#000000
style K fill:#FF4500,stroke:#333,stroke-width:2px,color:#FFFFFF

This loop keeps you coding while the AI handles security. Windsurf and Cursor follow a similar flow, just with their own files.

Setting Up Your AI IDE Correctly

Let’s get your AI tool ready to keep things secure while you code. Here’s the quick setup for each:

GitHub Copilot

• Step 1: In your repo’s root, make a .github folder if it’s not there, then add a copilot-instructions.md file.

• Step 2: Add your rules in Markdown (I’ll share mine below).

• Step 3: Fire up your IDE (like VS Code) with Copilot and start coding. Check the “References” in Copilot’s response to make sure it’s using your rules.

• Step 4: If something’s off, tweak the rules and try again.

Windsurf

• Step 1: You’ll need two files: .windsurfrules in the repo root and scratchpad.md in a .windsurf folder (make it if needed).

• Step 2: Put rules in .windsurfrules (key-value style) and notes or tasks in scratchpad.md.

• Step 3: Open Windsurf, code away, and check the logs to see if your rules are working.

• Step 4: Update scratchpad.md with tasks (like [X] Add login page) to stay organized.

Cursor

• Step 1: Create a .cursorrules file in your repo’s root.

• Step 2: Add rules in YAML format (I’ll show you mine later).

• Step 3: Open Cursor, start coding, and check the debug panel to confirm the rules are applied.

• Step 4: Use the file as a scratchpad too—add todos like [X] Fix bug to keep track of stuff.

My Go-To Security Rules

Here are the rules I use to keep my code safe, pulled straight from my GitHub Copilot setup. I’ve adapted them for Windsurf and Cursor too, so you can use them no matter your tool.

General Rules (For All Languages)

These are the basics I always stick to:

• Sanitize all user inputs to stop XSS or injection attacks.

• Use parameterized queries for database stuff to avoid SQL injection.

• Stick to secure authentication like OAuth 2.0 or JWT, and always validate tokens.

• Keep secrets in environment variables or a secrets manager—never hardcode them.

• Check packages for vulnerabilities or deprecation before using them.

In Copilot’s .github/copilot-instructions.md, it looks like this:

Always sanitize user inputs to prevent XSS or injection attacks.
Use parameterized queries or prepared statements for all database interactions.
Enforce secure authentication with OAuth 2.0 or JWT, validating tokens properly.
Store secrets in environment variables or a secrets manager, never hardcode them.
Verify packages for vulnerabilities or deprecation before suggesting them.

For Windsurf in .windsurfrules:

sanitize_inputs: always
use_parameterized_queries: true
authentication: "Use OAuth 2.0 or JWT with validation"
secrets_management: "Use environment variables or secrets manager"
package_validation: "Check for vulnerabilities or deprecation"

And in Cursor’s .cursorrules:

rules:
  sanitize_inputs: true
  use_parameterized_queries: true
  authentication: "Use OAuth 2.0 or JWT with validation"
  secrets_management: "Use environment variables or secrets manager"
  package_validation: "Check for vulnerabilities or deprecation"

Language-Specific Rules

JavaScript (Node.js)

JavaScript can be a minefield for stuff like XSS, so I make sure my AI sticks to these:

• Sanitize HTML inputs with DOMPurify.

• Validate API inputs with express-validator.

• Set secure headers with helmet.

• Use double quotes and tabs for indentation (keeps my code looking clean while I’m vibing).

For Copilot:

For JavaScript, use double quotes and tabs for indentation.
Sanitize HTML inputs with DOMPurify to prevent XSS.
Validate and sanitize API inputs with express-validator.
Set secure HTTP headers using helmet in Express apps.

For Windsurf in .windsurfrules:

javascript_indentation: "double quotes, tabs"
javascript_sanitize_html: "Use DOMPurify"
javascript_validate_inputs: "Use express-validator"
javascript_secure_headers: "Use helmet"

For Cursor in .cursorrules:

javascript:
  indentation: "double quotes, tabs"
  sanitize_html: "Use DOMPurify"
  validate_inputs: "Use express-validator"
  secure_headers: "Use helmet"

Python

Python’s super flexible, but I don’t want any surprises with database queries or inputs:

• Use sqlalchemy or psycopg2 with parameterized queries for PostgreSQL.

• Sanitize inputs with bleach.

• Never use eval() or exec()—too risky.

For Copilot:

For Python database queries, use sqlalchemy or psycopg2 with parameterized queries.
Sanitize inputs with bleach to prevent injection attacks.
Never suggest eval() or exec() in Python code.

For Windsurf in .windsurfrules:

python_database_queries: "Use sqlalchemy or psycopg2 with parameterized queries"
python_sanitize_inputs: "Use bleach"
python_avoid_dangerous: "No eval() or exec()"

For Cursor in .cursorrules:

python:
  database_queries: "Use sqlalchemy or psycopg2 with parameterized queries"
  sanitize_inputs: "Use bleach"
  avoid_dangerous: "No eval() or exec()"

Java

Java’s big in enterprise stuff, so I make sure APIs and data are locked down:

• Use Bazel for dependency management (not Maven).

• Use PreparedStatement for JDBC queries.

• Validate inputs with javax.validation or Hibernate Validator.

• Secure REST APIs with Spring Security.

For Copilot:

For Java, use Bazel for dependency management, not Maven.
Use PreparedStatement for all JDBC database queries.
Validate inputs with javax.validation or Hibernate Validator.
Secure REST APIs with Spring Security configurations.

For Windsurf in .windsurfrules:

java_dependency_management: "Use Bazel, not Maven"
java_database_queries: "Use PreparedStatement"
java_validate_inputs: "Use javax.validation or Hibernate Validator"
java_secure_apis: "Use Spring Security"

For Cursor in .cursorrules:

java:
  dependency_management: "Use Bazel, not Maven"
  database_queries: "Use PreparedStatement"
  validate_inputs: "Use javax.validation or Hibernate Validator"
  secure_apis: "Use Spring Security"

Vibe Coding with Different AI Tools

Here’s how these tools fit into your vibe coding sessions, based on how I use them:

• GitHub Copilot: It’s my go-to if I’m already on GitHub. The .github/copilot-instructions.md file applies rules automatically, so I can code in VS Code or online without worrying about security. It’s super seamless.

• Windsurf: I love Windsurf when I’m working on bigger projects. The .windsurfrules file sets strict rules, and scratchpad.md lets me jot down tasks or notes (like [X] Add login page). Plus, it’s got cool web scraping tools—I can run venv/bin/python ./tools/web_scraper.py --max-concurrent 3 URL1 URL2 URL3 to grab stuff online without leaving my IDE. Keeps the vibe going!

• Cursor: Cursor’s great when I want something lightweight. The .cursorrules file handles rules and doubles as a scratchpad for todos (like [X] Fix bug). It keeps me focused while making sure my code’s secure.

Switching Between Tools

The rules stay the same, just change the format. For example, “sanitize HTML with DOMPurify” goes from Markdown in Copilot to key-value in Windsurf to YAML in Cursor. Pick the tool that fits your vibe—Copilot for seamless integration, Windsurf for big projects with research, or Cursor for a simple, focused setup.

Tips to Keep the Vibe Going

Here’s how I make sure security doesn’t kill my coding buzz:

1. Double-Check AI Suggestions: Treat your AI’s code like a rough draft. Quick scan to make sure it’s following your rules—like, is that query parameterized?

2. Use Notes for Big Tasks: For Copilot, I use .prompt.md files for stuff like React forms. For Windsurf and Cursor, I add tasks to scratchpad.md or .cursorrules (e.g., [X] Build API). Keeps me organized without breaking my flow.

3. Make Sure Rules Are Working: In Copilot, check the “References” to see if it’s using your rules. Windsurf has logs, and Cursor has a debug panel—use ‘em to confirm everything’s on track.

Test It Out

Try generating some code to see if your rules are working:

• Copilot: Ask for a database query in VS Code. It should use PreparedStatement for Java if your rules are set right. Check the References to confirm.

• Windsurf: Generate some JavaScript code and make sure it’s using DOMPurify for HTML inputs. Peek at the logs to verify.

• Cursor: Ask for Python code and ensure there’s no eval() or exec(). The debug panel will tell you if the rules are applied.

If something’s off, tweak your rules and try again. It’s worth the few minutes to keep your code safe.

Let’s Wrap It Up

Vibe coding’s all about that creative high, and with tools like GitHub Copilot, Windsurf, and Cursor, you don’t have to stress about security slowing you down. Set up your rules—whether it’s .github/copilot-instructions.md, .windsurfrules and scratchpad.md, or .cursorrules—and let your AI handle the heavy lifting. With these tips and rules, you can keep the flow going while building apps that are both awesome and secure.

Ready to give it a shot? Add those rules to your repo, fire up your IDE, and vibe code without worry. Want more on Copilot? Check out the GitHub Docs on Adding repository custom instructions for GitHub Copilot.

Happy coding, friends!

---

References:

• Securing GitHub Copilot: A Language-Specific Field Guide for Safer AI Pair Programming

• Adding repository custom instructions for GitHub Copilot

• Example Copilot Instructions

• Collection of Copilot Security Instructions