Tutorial Cursor Beginner

How to Use Cursor Rules: Step-by-Step Tutorial

Set up your first .cursorrules file in 5 minutes

Quick Answer

Create a file named .cursorrules in your project root. Add your tech stack, coding conventions, and security rules. Cursor reads this file before every response, making AI output more consistent and secure. This tutorial walks through each step with copy-paste templates.

What you'll learn

This tutorial shows you how to set up Cursor rules from scratch. By the end, you'll have a working configuration that makes Cursor generate better, more secure code for your vibe coding projects.

1 Create your first rules file
2 Add essential rules for your stack
3 Test and verify rules are working
4 Troubleshoot common issues

Time required: 5-10 minutes for basic setup. No prior configuration experience needed.

Before you start

  • Cursor installed on your computer
  • A project folder open in Cursor
  • Basic understanding of your project's tech stack

How to add cursor rules (step by step)

1

Open your project in Cursor

Open the folder containing your project in Cursor. Rules are project-specific, so each project can have its own configuration.

Tip: Make sure you open the root folder of your project, not a subfolder.
2

Create the rules file

Create a new file named .cursorrules in your project root. The dot at the beginning is required - this makes it a hidden file on macOS/Linux.

your-project/
.cursorrules
src/
package.json
Tip: On Windows, you can create the file from Cursor directly. Some file explorers hide dot-files by default.
3

Add your first rule

Start simple with your tech stack and one security rule. You can expand later.

.cursorrules (starter template)
# Project Configuration

## Tech Stack
- [Your framework: Next.js / React / SvelteKit / etc.]
- [Your language: TypeScript / JavaScript / Python]
- [Your database: Supabase / Prisma / MongoDB]
- [Your styling: Tailwind / CSS Modules / styled-components]

## Code Style
- Use functional components
- Prefer named exports over default exports
- Use TypeScript interfaces for props

## Security Rules
- NEVER use template literals for database queries
- ALWAYS validate user input on the server
- Check authentication on every API route
- Use environment variables for secrets, never hardcode
Tip: Begin with what makes your project unique - the framework, language, and coding patterns.
4

Test the rules

Open a new chat in Cursor and ask it to generate some code. Check if the output follows your rules.

Try these test prompts:

  • "What rules are you following for this project?"
  • "Create a simple API route" (check if it matches your stack)
  • "Show me a database query" (verify security rules apply)
Tip: Ask Cursor: "What rules are you following?" to verify it loaded your configuration.
5

Iterate and expand

Add more rules as you notice patterns. When Cursor generates something you correct often, add a rule for it.

Tip: Review your rules monthly. Remove ones that are no longer relevant and add new patterns.

Popular cursor rules to copy

Don't start from scratch. These popular repos and sites have battle-tested cursor rules you can copy and adapt for your projects.

Pro tip: Copy a base template from these repos, then customize for your specific stack. Don't use generic rules - add your database (Supabase, Prisma), your framework version (Next.js 14 App Router), and your security requirements.

Modern approach: .cursor/rules/ folder

For larger projects, use the .cursor/rules/ folder instead of a single file. This lets you organize rules by category and control when each rule applies.

Recommended Project Structure
your-project/
├── .cursor/
│   └── rules/
│       ├── core.md           # Always-on: tech stack, conventions
│       ├── security.md       # Always-on: security patterns
│       ├── typescript.md     # File-specific: *.ts, *.tsx
│       └── testing.md        # Manual: @testing when needed
├── src/
└── package.json

Using frontmatter for activation modes

Add YAML frontmatter to control when rules activate. This is more powerful than the legacy approach.

.cursor/rules/core.md
---
description: "Core project rules - tech stack and conventions"
alwaysApply: true
---

# Project: [Your App Name]

## Tech Stack
- Next.js 14 with App Router
- TypeScript in strict mode
- Supabase for auth and database
- Tailwind CSS for styling

## Architecture Patterns
- Use Server Components by default
- Client Components only for interactivity
- Server Actions for mutations
- Zod for input validation

## Naming Conventions
- Components: PascalCase (UserCard.tsx)
- Utilities: camelCase (formatDate.ts)
- Constants: SCREAMING_SNAKE_CASE
- Types/Interfaces: PascalCase with 'I' or 'T' prefix optional

## Security (Critical)
- Parameterized queries only: $1, $2 - never template literals
- Validate ALL input with Zod before database operations
- Check auth in every Server Action and API route
- Never expose SUPABASE_SERVICE_ROLE_KEY to client

Activation mode options:

alwaysApply: true

Active in every chat. Use for core rules.

alwaysApply: false

AI decides based on description. Use for specialized rules.

globs: ["*.ts"]

Only when working with matching files.

@rule-name

Manual activation by mentioning in chat.

Troubleshooting cursor rules

If your rules aren't working, check these common issues:

Rules completely ignored

  • File must be named exactly .cursorrules (with the dot)
  • File must be in project root, not a subfolder
  • Try starting a new chat session
  • Check for syntax errors in YAML frontmatter

Rules partially working

  • Some rules may conflict - simplify and test one at a time
  • Long rules may get truncated - keep under 500 lines
  • Vague rules are interpreted loosely - be specific
  • Check alwaysApply settings in frontmatter

File not found

  • Enable "Show hidden files" in your file explorer
  • On Windows, create via Cursor's file menu
  • Verify you opened the correct project folder
  • Check if .cursor/ folder exists for modern approach

Changes not applying

  • Start a new chat after editing rules
  • Changes apply to new sessions, not current ones
  • Check the file saved successfully
  • Verify YAML frontmatter syntax is correct

Debug command

Ask Cursor: "List all the cursor rules you're currently following for this project"

This reveals which rules Cursor detected and helps identify missing or ignored rules.

Don't forget security rules

The most important cursor rules for vibe coders prevent security vulnerabilities. AI tools often generate working code without considering security. Add these rules to catch common issues:

Database queries: "NEVER use template literals for SQL - use parameterized queries"
Authentication: "Check auth on EVERY API route and Server Action"
Input validation: "Validate ALL user input with Zod before processing"
Secrets: "NEVER hardcode API keys - use environment variables"

See our complete security rules template for copy-paste rules that prevent SQL injection, hardcoded secrets, and other common vulnerabilities.

Frequently asked questions

Why are my cursor rules not working?

Check three things: 1) The file is named exactly .cursorrules (with the dot) or placed in .cursor/rules/ folder, 2) The file is in your project root directory, 3) You have restarted Cursor or opened a new chat after creating the file. If using frontmatter, ensure the YAML syntax is valid with proper indentation.

Do I need to restart Cursor after changing rules?

For the legacy .cursorrules file, changes apply to new chat sessions automatically. For .cursor/rules/ files, Cursor watches for changes and applies them immediately. If rules seem ignored, start a new chat to ensure fresh context.

Should I use .cursorrules or .cursor/rules/ folder?

Use .cursor/rules/ folder for new projects. It offers better organization (split by category), activation modes (always, intelligent, file-specific), and is the officially recommended approach. The legacy .cursorrules file still works but lacks these features.

How do I know if Cursor is reading my rules?

Ask Cursor directly: "What rules are you following for this project?" or "Summarize my cursor rules." Cursor will list the active rules it found. You can also check by asking it to generate code that should follow your rules - if it follows them, they are working.

Can I use cursor rules with any AI model?

Yes. Cursor rules work with all supported models (Claude, GPT-4, etc.). Rules are injected into the system context before your prompts, so every model receives the same instructions. Different models may follow rules with varying precision.

How long should my cursor rules be?

Keep total rules under 500 lines. Shorter, focused rules work better than long documents. If you have many rules, split them into separate files in .cursor/rules/ (security.md, typescript.md, etc.). Each rule should be specific and actionable.

Do cursor rules work in Cursor Composer?

Yes. Cursor rules apply to both regular chat and Cursor Composer. The rules are loaded into context for any AI interaction in your project, including multi-file editing sessions in Composer.

Next steps

Verify Your Rules Are Working

Cursor rules reduce vulnerabilities but can't catch everything. VibeShip Scanner automatically detects security issues in your vibe coded projects - even ones that slip past your rules.

Scan Your Code Free

Related content

Official documentation