windsurf-security-basics
Apply Windsurf security best practices for workspace isolation, data privacy, and secret protection. Use when securing sensitive code from AI indexing, configuring telemetry, or auditing Windsurf security posture. Trigger with phrases like "windsurf security", "windsurf secrets", "windsurf privacy", "windsurf data protection", "codeiumignore".
Best use case
windsurf-security-basics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Apply Windsurf security best practices for workspace isolation, data privacy, and secret protection. Use when securing sensitive code from AI indexing, configuring telemetry, or auditing Windsurf security posture. Trigger with phrases like "windsurf security", "windsurf secrets", "windsurf privacy", "windsurf data protection", "codeiumignore".
Teams using windsurf-security-basics should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/windsurf-security-basics/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How windsurf-security-basics Compares
| Feature / Agent | windsurf-security-basics | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Apply Windsurf security best practices for workspace isolation, data privacy, and secret protection. Use when securing sensitive code from AI indexing, configuring telemetry, or auditing Windsurf security posture. Trigger with phrases like "windsurf security", "windsurf secrets", "windsurf privacy", "windsurf data protection", "codeiumignore".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Windsurf Security Basics
## Overview
Security best practices for Windsurf AI IDE: controlling what code Cascade can see, preventing secrets from leaking into AI context, managing telemetry, and configuring workspace isolation for regulated environments.
## Prerequisites
- Windsurf installed
- Understanding of Codeium's data processing model
- Repository with identified sensitive files
## Instructions
### Step 1: Exclude Secrets from AI Indexing
Create `.codeiumignore` at project root (gitignore syntax):
```gitignore
# .codeiumignore — files Codeium/Windsurf will NEVER index or read
# Secrets and credentials
.env
.env.*
.env.local
credentials.json
serviceAccountKey.json
*.pem
*.key
*.p12
*.pfx
# Cloud provider configs
.aws/
.gcloud/
.azure/
# Infrastructure secrets
terraform.tfstate
terraform.tfstate.backup
*.tfvars
vault-config.*
# Customer data
data/customers/
exports/
backups/
*.sql.gz
```
**Default exclusions (automatic):** Files in `.gitignore`, `node_modules/`, hidden directories (`.` prefix).
**Enterprise:** Place a global `.codeiumignore` at `~/.codeium/` for org-wide exclusions.
### Step 2: Disable Telemetry (If Required)
```json
// Windsurf Settings (settings.json)
{
"codeium.enableTelemetry": false,
"codeium.enableSnippetTelemetry": false,
"telemetry.telemetryLevel": "off"
}
```
### Step 3: Configure AI Autocomplete Exclusions
Disable Supercomplete for file types that commonly contain secrets:
```json
{
"codeium.autocomplete.languages": {
"plaintext": false,
"env": false,
"dotenv": false,
"properties": false,
"ini": false
}
}
```
### Step 4: Create Security-Focused .windsurfrules
```markdown
<!-- .windsurfrules - security section -->
## Security Requirements
- Never suggest hardcoded secrets, API keys, or passwords in code
- Always use environment variables via process.env for secrets
- Never log PII (email, phone, SSN, credit card numbers)
- Use parameterized queries for all database operations
- Never suggest wildcard CORS origins in production code
- All user input must be validated before processing
- Use constant-time comparison for secret/token validation
```
### Step 5: Audit AI Workspace Access
```bash
#!/bin/bash
set -euo pipefail
echo "=== Windsurf Security Audit ==="
# Check if .codeiumignore exists
if [ ! -f .codeiumignore ]; then
echo "WARNING: No .codeiumignore — AI can index all non-gitignored files"
fi
# Check for secrets that AI could index
echo "--- Potentially exposed secret files ---"
find . -type f \
-not -path '*/node_modules/*' \
-not -path '*/.git/*' \
\( -name '*.env*' -o -name '*.key' -o -name '*.pem' \
-o -name 'credentials*' -o -name '*secret*' \
-o -name '*.tfvars' -o -name 'serviceAccount*' \) \
2>/dev/null | head -20
# Check if found files are in .codeiumignore
echo "--- Verify all above files are excluded ---"
```
### Step 6: Windsurf Data Processing Model
```yaml
# What Windsurf/Codeium processes:
data_processing:
indexed_locally:
- File contents for Supercomplete context
- Codebase structure for Cascade awareness
stored: "Local machine only (not sent to cloud for indexing)"
sent_to_cloud:
- Cascade prompts (for AI model inference)
- Code snippets around cursor (for Supercomplete)
stored: "Zero-data retention for paid plans"
never_processed:
- Files in .codeiumignore
- Files in .gitignore (by default)
- Files in node_modules/
compliance:
- SOC 2 Type II certified
- FedRAMP High accredited
- HIPAA BAA available (Enterprise)
- Zero-data retention on paid plans
```
## Security Checklist
- [ ] `.codeiumignore` exists with secret file patterns
- [ ] `.env` files excluded from AI indexing
- [ ] `.windsurfrules` includes security coding standards
- [ ] Telemetry disabled (if required by policy)
- [ ] Autocomplete disabled for secret-containing file types
- [ ] No competing AI extensions installed (data exposure risk)
- [ ] Team members trained on "never paste secrets into Cascade chat"
- [ ] Enterprise: SSO configured, personal accounts blocked
## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Secret in Cascade suggestion | Appears in AI output | Add source file to `.codeiumignore`, rotate secret |
| AI indexing .env files | Check `.codeiumignore` | Add `.env*` pattern |
| Telemetry sending code | Policy audit | Disable all telemetry settings |
| Dev pastes secret in chat | Cannot detect after the fact | Training + enterprise data retention = 0 |
## Examples
### Enterprise .codeiumignore
```gitignore
# ~/.codeium/.codeiumignore (global, all workspaces)
*.pem
*.key
*.p12
*.env*
**/secrets/**
**/credentials/**
terraform.tfstate*
*.tfvars
```
### Quick Privacy Check
```bash
# Verify critical files are excluded
echo ".env" | while read f; do
[ -f "$f" ] && grep -q "\.env" .codeiumignore 2>/dev/null && echo "$f: PROTECTED" || echo "$f: EXPOSED"
done
```
## Resources
- [Windsurf Security](https://windsurf.com/security)
- [Codeium Privacy Policy](https://codeium.com/privacy-policy)
- [Windsurf Ignore Docs](https://docs.windsurf.com/context-awareness/windsurf-ignore)
## Next Steps
For production deployment, see `windsurf-prod-checklist`.Related Skills
performing-security-testing
Test automate security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues. Use when performing security assessments, penetration tests, or vulnerability scans. Trigger with phrases like "scan for vulnerabilities", "test security", or "run penetration test".
checking-session-security
Analyze session management implementations to identify security vulnerabilities in web applications. Use when you need to audit session handling, check for session fixation risks, review session timeout configurations, or validate session ID generation security. Trigger with phrases like "check session security", "audit session management", "review session handling", or "session fixation vulnerability".
finding-security-misconfigurations
Configure identify security misconfigurations in infrastructure-as-code, application settings, and system configurations. Use when you need to audit Terraform/CloudFormation templates, check application config files, validate system security settings, or ensure compliance with security best practices. Trigger with phrases like "find security misconfigurations", "audit infrastructure security", "check config security", or "scan for misconfigured settings".
responding-to-security-incidents
Analyze and guide security incident response, investigation, and remediation processes. Use when you need to handle security breaches, classify incidents, develop response playbooks, gather forensic evidence, or coordinate remediation efforts. Trigger with phrases like "security incident response", "ransomware attack response", "data breach investigation", "incident playbook", or "security forensics".
analyzing-security-headers
Analyze HTTP security headers of web domains to identify vulnerabilities and misconfigurations. Use when you need to audit website security headers, assess header compliance, or get security recommendations for web applications. Trigger with phrases like "analyze security headers", "check HTTP headers", "audit website security headers", or "evaluate CSP and HSTS configuration".
generating-security-audit-reports
Generate comprehensive security audit reports for applications and systems. Use when you need to assess security posture, identify vulnerabilities, evaluate compliance status, or create formal security documentation. Trigger with phrases like "create security audit report", "generate security assessment", "audit security posture", or "PCI-DSS compliance report".
workhuman-security-basics
Workhuman security basics for employee recognition and rewards API. Use when integrating Workhuman Social Recognition, or building recognition workflows with HRIS systems. Trigger: "workhuman security basics".
wispr-security-basics
Wispr Flow security basics for voice-to-text API integration. Use when integrating Wispr Flow dictation, WebSocket streaming, or building voice-powered applications. Trigger: "wispr security basics".
windsurf-webhooks-events
Build Windsurf extensions and integrate with VS Code extension API events. Use when building custom Windsurf extensions, tracking editor events, or integrating Windsurf with external tools via extension development. Trigger with phrases like "windsurf extension", "windsurf events", "windsurf plugin", "build windsurf extension", "windsurf API".
windsurf-upgrade-migration
Upgrade Windsurf IDE, migrate settings from VS Code or Cursor, and handle breaking changes. Use when upgrading Windsurf versions, migrating from another editor, or handling configuration changes after updates. Trigger with phrases like "upgrade windsurf", "windsurf update", "migrate to windsurf", "windsurf from cursor", "windsurf from vscode".
windsurf-sdk-patterns
Apply production-ready Windsurf workspace configuration and Cascade interaction patterns. Use when configuring .windsurfrules, workspace rules, MCP servers, or establishing team coding standards for Windsurf AI. Trigger with phrases like "windsurf patterns", "windsurf best practices", "windsurf config patterns", "windsurfrules", "windsurf workspace".
windsurf-reliability-patterns
Implement reliable Cascade workflows with checkpoints, rollback, and incremental editing. Use when building fault-tolerant AI coding workflows, preventing Cascade from breaking builds, or establishing safe practices for multi-file AI edits. Trigger with phrases like "windsurf reliability", "cascade safety", "windsurf rollback", "cascade checkpoint", "safe cascade workflow".