AI Coding Rules
WindsurfsecuritySecurity

Security Windsurf Rules

Windsurf security rules: zero trust architecture, supply chain security, and modern application security practices.

.windsurfrules
- Apply zero trust: verify every request, even internal service-to-service calls
- Use short-lived credentials with automatic rotation; never long-lived API keys
- Sign all container images and verify signatures before deployment (Sigstore/Cosign)
- Use SBOM (Software Bill of Materials) generation in CI for supply chain visibility
- Implement mutual TLS (mTLS) between internal microservices
- Use OpenID Connect for all OAuth flows; never implement OAuth from scratch
- Run SAST with semgrep or CodeQL on every PR; block merges on high findings
- Practice security chaos: red team your own auth and permission systems quarterly

How to use with Windsurf

Create a `.windsurfrules` file in your project root. Windsurf's Cascade AI applies these rules automatically.

← All Windsurf rulesAll security rules →
#security#windsurf#zero-trust#devsecops#coding-rules

Related Rules

TypeScript Windsurf Rules

WindsurfTypeScript

Windsurf rules for TypeScript: strict type safety, functional patterns, and modern TypeScript conventions.

Code Style
typescript · windsurfCopy Ready

React Windsurf Rules

WindsurfReact

Windsurf rules for React: modern patterns, performance, and scalable React architecture.

Architecture
react · windsurfCopy Ready

Go Windsurf Rules

WindsurfGo

Windsurf rules for Go: hexagonal architecture, clean code, observability, and production Go patterns.

Architecture
go · windsurfCopy Ready

Rust Windsurf Rules

WindsurfRust

Windsurf rules for Rust: async Rust, WASM, systems programming, and production Rust patterns.

Architecture
rust · windsurfCopy Ready