Is Cursor safe?
Is Cursor-generated code safe to ship?
Cursor is not tied to one backend, it writes code against whatever you point it at. That flexibility is the appeal, and it is also why the gap looks a little different than the Supabase-specific one you will see on other builders.
What Cursor actually does well
Understands your existing codebase and writes changes that fit the patterns already there.
Works with any stack, Supabase, a custom Node API, Postgres, whatever you already chose.
Handles large, multi-file refactors and new features without losing context.
The gap
The gap: auth checks that live only in the UI
Because Cursor writes to your existing architecture rather than scaffolding its own, the most common failure is subtler than a missing database policy: an auth check that hides a button or a page in the React component, with no matching check in the API route or server function underneath it. The route itself is still reachable by anyone who knows the URL or reads it out of the JS bundle. The same pattern shows up with hardcoded keys, a developer asks Cursor to "get this working," Cursor puts a key directly in a client component or a NEXT_PUBLIC_ prefixed variable, and it ships to the browser.
Check Cursor for this yourself right now
This one is manual since there is no single backend to point a scanner at, but it takes about 60 seconds.
- 01
Find a page or feature in your app that is supposed to require login, for example an admin or account settings page.
- 02
Open an incognito or private browser window with no session, and navigate directly to that page's URL.
- 03
If the page or its data loads without redirecting you to a login screen, the check is happening client-side only.
- 04
Separately, open devtools Sources tab on your live app and search the bundle for "sk_", "AKIA", or "service_role" to catch any hardcoded secret.
Rather not do this by hand? The free Leak Check runs the anon-key probe and a client bundle scan against your live URL and gives you results in under a minute.
Run the free Leak Check →Where the numbers come from
We scanned 66 live apps built with Lovable, Bolt, Cursor, base44, and Tempo. 41% of the Supabase-backed apps had at least one table anyone could read with the public anon key. The full methodology and findings are in the data report.
Read the data report →