Common Cursor Issues

After Cursor refactored your API server, requests from the frontend are blocked by CORS errors. The browser blocks responses due to missing Access-Control headers.

CORS middleware was removed or misconfigured.

After Cursor refactored your async/await code, promises are no longer resolving correctly. Operations that should happen sequentially are executing out of order, causing data inconsistencies.

Async/await syntax or promise handling was likely changed incorrectly.

After Cursor refactored your Stripe webhook handler, webhook events are no longer being received or processed. Payments fail to process because webhook callbacks don't fire.

The webhook endpoint URL or handler logic was broken.

An API endpoint that was working correctly now returns 404 Not Found errors after Cursor refactored your route definitions. The route is no longer accessible even though the handler exists.

Route registration or path may have been broken during the refactoring.

After Cursor refactored your API endpoint code, TypeScript errors report type mismatches between client requests and server responses. The endpoint signatures don't match what the client is sending.

Type definitions or interfaces were likely modified incorrectly during refactoring.

After Cursor refactored your GraphQL queries, queries are rejected with syntax errors or field not found errors. GraphQL queries that were working no longer execute.

Query syntax or schema expectations were changed incorrectly.

After Cursor refactored your API response handling code, parsing responses fails with errors. The application expects one format but the API is returning another.

Response handling or format expectation was likely changed incorrectly.

API requests generated by Cursor are missing required headers, causing requests to fail with 400 or 401 errors. The server requires specific headers like Authorization or Content-Type, but they're no longer being sent.

Header setup code may have been removed or restructured incorrectly.

After Cursor moved or reorganized your source files, many import statements are broken. The build fails because modules can't be found or import paths are incorrect.

Relative paths didn't get updated when files moved.

After enabling or upgrading TypeScript strict mode, Cursor's refactored code now has many type errors. The strict rules catch null/undefined issues and type mismatches that were previously ignored.

Code needs proper typing to satisfy strict mode requirements.

After Cursor refactored multiple authentication-related files, the entire login/logout flow is broken. Users cannot log in or stay logged in, and the app behaves inconsistently across pages.

Multiple components of the auth system may be broken.

After using Cursor's AI to refactor authentication code, OAuth token refresh requests return 401 Unauthorized errors. The application was previously handling token refresh correctly, but the AI-generated changes broke the flow.

Users are unexpectedly logged out during their sessions, and the app fails to silently refresh expired tokens before making API requests.

JWT tokens generated before Cursor's refactoring are now rejected with signature verification errors. The application validates incoming JWTs but now fails on all tokens, including valid ones.

This typically occurs when the JWT secret key configuration changes or the verification algorithm is modified during code generation.

After Cursor reorganized middleware in your Express app, authentication checks run after route handlers, causing protected routes to execute without validation. Requests that should be blocked are passing through.

The middleware chain was reordered during code cleanup, and now auth middleware runs too late or not at all for certain routes.

User sessions are no longer persisting to Redis after Cursor reorganized your session middleware code. Users are logged out on page refresh, defeating the purpose of persistent sessions.

The Redis client may be misconfigured or the session store initialization was altered during the refactoring.

After Cursor refactored your security middleware, CSRF tokens are no longer being validated. Form submissions succeed even with invalid tokens, creating a serious security vulnerability.

The CSRF middleware was either removed or incorrectly configured during code reorganization.

After Cursor refactored your Supabase authentication integration, login/signup stops working. Users cannot authenticate or their session isn't being maintained.

Supabase client initialization or auth flow was broken.

You've exhausted your Cursor fast requests for the month. Cursor Pro gives you a limited number of premium model requests (GPT-4, Claude), and once they're gone you're stuck with the slower model or waiting until next month.

This often happens at the worst time — when you're deep into debugging a complex issue and need the best AI model to help. The slower fallback model often can't handle the same complexity, leaving you stuck.

But there's a more efficient path than waiting or upgrading: for complex bugs that the AI is struggling with, a human developer is often faster and cheaper than more AI requests.

After Cursor refactored your ORM queries, page load times increased dramatically. Database logs show hundreds of queries for operations that previously took just a few.

The AI-generated code is fetching related entities one-by-one instead of in batch, causing the classic N+1 problem.

After Cursor refactored your database transaction code, operations that should succeed or fail together are now failing partially. Data consistency is compromised.

Transaction wrapping or commit/rollback logic was broken.

Database queries generated by Cursor's AI are throwing syntax errors when executed. The ORM (Sequelize, TypeORM, Prisma) rejects the generated queries as invalid, causing runtime failures.

The AI likely misunderstood the ORM's query API or used outdated syntax.

After Cursor generated new database migration files, attempting to roll back to a previous version fails with syntax errors or constraint violations. The database is left in an inconsistent state.

The down migration (rollback) may be malformed or incompatible with the current schema.

After Cursor edited your Prisma schema, running migrations fails with errors. The schema changes can't be applied to the database.

The schema syntax may be invalid or incompatible with current data.

After Cursor reorganized your database connection code, the application runs out of available connections under load. Requests start failing with timeout or pool exhaustion errors.

Connections are not being properly closed or released back to the pool, causing a leak.

After Cursor refactored your webpack configuration, the build process fails with syntax errors or configuration errors. The webpack config is malformed.

The configuration syntax or structure was changed incorrectly.

Docker build fails with errors after Cursor modified your application code. The build process was working before the refactoring, but now fails at various stages.

The Dockerfile or build artifacts may have been inadvertently modified, or dependencies changed.

Environment variables are not being loaded correctly in production after Cursor reorganized your configuration management code. The application uses hardcoded values or incorrect env var names.

What worked in development now fails in deployed environments.

Your GitHub Actions workflow stopped running successfully after Cursor made changes to the workflow YAML file. Build or deployment steps are now failing, blocking merges.

The YAML syntax or workflow logic was likely corrupted during refactoring.

The npm run build or similar build command now fails after Cursor reorganized your project files. The build pipeline is looking for files in the wrong locations or calling missing scripts.

Build artifacts are not being generated, preventing deployment.

After Cursor refactored your Next.js application, the build command fails. The application won't build for production.

The refactored code violates Next.js requirements or broke the build configuration.

After Cursor modified your webpack or dev server configuration, hot module reload (HMR) no longer works. Changes require full page refresh to see updates, slowing down development.

HMR configuration or webpack middleware was broken.

HTML emails generated by your Cursor-built application look great in the preview or in one email client, but are completely broken in others. Layouts collapse in Gmail, images don't load in Outlook, fonts revert to defaults in Yahoo Mail, and dark mode inverts your carefully chosen colors.

HTML email rendering is stuck in 1999 — email clients use wildly different HTML/CSS engines. Outlook uses Microsoft Word's HTML renderer, Gmail strips most CSS, and Apple Mail has its own quirks. Cursor generates modern HTML/CSS that works perfectly in browsers but violates almost every constraint of email client rendering.

The issue affects your brand perception and functionality. Broken emails look unprofessional, can obscure important content like verification links, and may even trigger spam filters that look for malformed HTML.

Your Cursor-built application's email delivery is severely delayed. Verification emails arrive 30 minutes late, password reset links expire before the email is delivered, and notification emails pile up in a queue that processes too slowly or gets stuck entirely.

Cursor often generates email sending code that runs synchronously in the request handler, blocking the HTTP response while waiting for SMTP. As your app grows, this approach fails because each email takes 1-3 seconds to send, overwhelming your server during traffic spikes. Alternatively, Cursor may set up a queue but configure it incorrectly, causing emails to accumulate without being processed.

Users complain about not receiving emails, repeatedly click "resend", creating even more queue pressure, and eventually abandon your app because they can't complete basic flows like email verification or password reset.

Your Cursor-generated application sends emails perfectly during local development but fails with SMTP connection errors in production. Users aren't receiving signup confirmations, password resets, or notification emails. The server logs show connection refused, timeout, or authentication errors when attempting to connect to the mail server.

Email delivery is critical infrastructure — when it breaks, users can't sign up, can't reset passwords, and lose trust in your application. Cursor often generates SMTP code configured for a local mail server or development service like Mailtrap/Mailhog, which doesn't translate to production.

The issue might also manifest as emails being sent successfully according to your application logs, but never arriving in users' inboxes due to DNS, SPF, or deliverability configuration problems that only affect production domains.

Code that Cursor generated works locally but fails your CI/CD pipeline. GitHub Actions, GitLab CI, CircleCI, or another automation platform reports lint errors, type check failures, broken tests, or build errors on code that runs perfectly on your development machine.

This is a common disconnect between AI-assisted development and automated quality gates. Cursor generates code that compiles and runs but may not pass strict linting rules (ESLint, Prettier), type checking (TypeScript strict mode), or existing tests. The development experience is smooth because you might have less strict local settings or skip running the full test suite.

The pipeline failure blocks deployments and forces you to retroactively fix issues that could have been caught earlier, often requiring multiple fix-and-push cycles that slow down your delivery.

Your Cursor-generated project builds and runs perfectly locally with npm run dev, but deploying to Vercel or Netlify fails with build errors. The platform's build log shows module resolution failures, SSR compatibility errors, missing dependencies, or Next.js/Nuxt-specific issues that didn't appear during development.

Vercel and Netlify run production builds in a clean environment, which exposes issues hidden by your local development setup. Hot module replacement (HMR) and development-mode error recovery mask problems that surface in production builds. Additionally, these platforms have specific requirements for server-side rendering, API routes, and static generation that differ from local development servers.

Each failed deploy means another round of pushing a fix and waiting 1-3 minutes for the build to run, making the feedback loop painfully slow compared to local development.

Your Cursor-generated Docker Compose configuration has networking issues that prevent containers from communicating with each other. The app container can't connect to the database, the API can't reach Redis, or services fail to resolve each other's hostnames. Everything worked before containerizing, but Docker introduces a network layer that Cursor's configuration doesn't handle correctly.

Docker networking is a common source of confusion because containers have their own network namespace. Localhost inside a container refers to that container, not the host machine. Service-to-service communication requires using Docker's internal DNS (service names) rather than localhost or 127.0.0.1.

The issue may appear as connection timeouts, DNS resolution failures, or refused connections that work fine when running the services directly on the host without Docker.

Your Cursor-generated CSS Grid layout looks great on desktop but completely breaks on mobile screens. Grid items overflow horizontally, content gets cut off, columns become impossibly narrow, or the layout collapses into an unreadable single column with wrong proportions.

CSS Grid is powerful but requires careful handling of responsive behavior. Cursor often generates grid layouts optimized for the desktop view you described in your prompt, using fixed column counts or pixel-based track sizes that don't adapt to smaller viewports. The grid might use grid-template-columns: repeat(4, 1fr) which creates four equal columns even on a 320px screen.

The issue manifests as horizontal scrolling, overlapping text, images squeezed to unusable sizes, or grid items that stack but retain incorrect heights and spacing from the desktop layout.

You've used Cursor to generate responsive CSS with media queries, but the styles don't change when you resize the browser or view the site on a mobile device. The desktop layout persists regardless of screen width, or only some media queries apply while others are completely ignored.

Media queries are the foundation of responsive design, and when they don't work, your app looks broken on mobile devices. Cursor may generate media queries with correct syntax but place them in locations where they get overridden, use wrong breakpoint values, or conflict with existing CSS framework styles.

The issue is especially confusing because the CSS looks correct when you inspect it, and the browser's responsive design mode might not trigger the expected changes.

Your Cursor-generated web application appears zoomed out, zoomed in, or renders at an unexpected scale on mobile devices. Text might be tiny and unreadable, the page might show excessive whitespace, or users can't zoom in/out. The root cause is a missing, malformed, or incorrectly configured viewport meta tag.

The viewport meta tag is a single line of HTML that controls how mobile browsers render your page. Without it, mobile browsers assume your page is designed for a 980px desktop screen and shrink everything to fit. With incorrect values, you might lock users out of zooming (an accessibility violation) or cause the page to render at the wrong width.

This issue affects every mobile visitor to your site and is often the first thing that needs fixing for any mobile responsiveness improvements to take effect.

After Cursor refactored your component code, the application hangs or becomes unresponsive. useEffect or state updates are causing infinite loops that never terminate.

A circular dependency or missing condition is causing the loop.

After Cursor refactored your API request code, the application suddenly exceeds rate limits and receives 429 Too Many Requests errors. API calls that were working are now being rate limited.

The refactored code may be making redundant requests or not implementing proper batching.

Your application's bundle size has significantly increased after Cursor refactored the code. Load times are now slow, especially on slower networks and mobile devices.

The refactored code may be importing unused dependencies or breaking code splitting.

Your application has developed a memory leak after Cursor refactored cleanup code. Memory usage increases over time and never decreases, eventually causing crashes or slowdowns.

Event listeners or subscriptions are not being properly cleaned up.

After Cursor refactored your React component code, components are re-rendering far too frequently, causing performance degradation and jank on the page.

Components that shouldn't re-render are being triggered by parent updates.

After Cursor refactored your database query code, certain queries have become significantly slower. Page loads that were previously fast now timeout or feel laggy.

The generated queries are inefficient or missing important indexes.

After Cursor refactored your server response headers, caching is not working correctly. Either assets are cached too long (users see stale content) or not cached at all (every request hits server).

Cache-Control headers were changed incorrectly.

Your Cursor-generated application uses client-side polling (setInterval with fetch) to check for updates, but the polling is far too aggressive. Your API is receiving thousands of unnecessary requests per minute, driving up server costs, hitting rate limits, and degrading performance for all users.

Cursor often generates polling as the simplest way to achieve "real-time" updates — a setInterval that calls the API every 1-2 seconds. This works fine with one user in development, but in production with hundreds or thousands of concurrent users, each polling at 1-second intervals, the request volume becomes unsustainable. A seemingly innocent feature like checking for new notifications can generate millions of API calls per day.

The problem compounds because the polling continues even when the browser tab is in the background, the user is idle, or there's no new data to fetch, wasting bandwidth and battery on mobile devices.

Your Cursor-generated application uses Server-Sent Events (SSE) for real-time updates (live notifications, streaming responses, dashboards), but the SSE connection drops after a few seconds or minutes. Users see the real-time feed freeze, and the browser's EventSource silently reconnects only to disconnect again in a loop.

SSE connections are long-lived HTTP connections that must stay open indefinitely. This conflicts with many infrastructure components that expect short request-response cycles. Reverse proxies, load balancers, serverless platforms, and CDNs all have default timeouts that terminate SSE connections prematurely.

The issue is often intermittent — it works fine during development where there's no proxy layer, but fails in production where Nginx, Cloudflare, or a serverless platform sits between the client and server.

After using Cursor to scaffold or refactor your application, you discover API keys, database connection strings, JWT secrets, or third-party tokens hardcoded directly in source files. These secrets end up committed to your Git repository and potentially pushed to GitHub, making them publicly accessible.

This is one of the most dangerous issues with AI-generated code. Cursor's autocomplete and code generation may inline credentials from your context, environment, or prompt history directly into source files rather than referencing environment variables. Bots continuously scan GitHub for exposed keys and can exploit them within minutes of a push.

You might discover this when you receive a security alert from GitHub, an unexpected bill from a cloud provider, or when a dependency scanner flags your repository.

After Cursor refactored your template rendering code, HTML escaping was removed or disabled. User input is now rendered as HTML instead of being escaped, creating an XSS vulnerability.

Any user-supplied content could run malicious scripts.

After Cursor generated code that introduced new npm, pip, or other package dependencies, a security audit reveals that some of these packages have known vulnerabilities (CVEs). Running npm audit or snyk test shows critical or high-severity issues in your dependency tree.

AI models are trained on data with a knowledge cutoff, which means Cursor may suggest package versions that were current during training but have since been found vulnerable. It may also suggest abandoned packages that no longer receive security patches, or lesser-known alternatives that haven't undergone security scrutiny.

This becomes a production concern when vulnerability scanners in your CI/CD pipeline block deployments, or when your organization's security team flags the issues during a review.

Your Cursor-generated application has forms and state-changing API endpoints (POST, PUT, DELETE) that lack CSRF (Cross-Site Request Forgery) protection. An attacker can craft a malicious webpage that tricks authenticated users into performing unintended actions on your app, such as changing their email, transferring funds, or deleting data.

Cursor often generates clean, functional forms and API routes but omits CSRF tokens entirely. The generated code accepts form submissions and API requests without verifying that they originated from your application. This is especially dangerous for apps that use cookie-based session authentication.

You might discover this during a security audit, penetration test, or when a security researcher demonstrates that they can create an external page that submits forms to your app on behalf of logged-in users.

Your Cursor-generated application reads and writes files to the local file system, which works perfectly during local development but fails in production. The app crashes with ENOENT, EACCES, or EROFS errors when trying to create temp files, write uploads, or read generated content.

This is a common trap with AI-generated code. Cursor writes straightforward file system code using fs.writeFile, fs.readFile, or similar APIs because it's the simplest approach. But modern production environments — serverless functions (Vercel, AWS Lambda, Netlify), containerized deployments (Docker, Kubernetes), and PaaS platforms (Heroku, Railway) — either have read-only file systems, ephemeral storage that gets wiped between invocations, or no local disk at all.

The issue often surfaces only after deployment, when the first user triggers a file operation and gets a server error.

Your Cursor-generated code that interacts with Amazon S3 fails with 403 Access Denied errors when attempting to upload, download, or list objects. The AWS SDK throws AccessDenied exceptions even though you've configured credentials and created the bucket.

S3 permissions are notoriously complex, involving the intersection of IAM policies, bucket policies, ACLs, and encryption settings. Cursor often generates syntactically correct S3 code but with incorrect assumptions about the permission model — using wrong region configurations, missing required permissions in the IAM policy, or assuming public access that's been blocked by default.

The frustration compounds because the same code might work with one AWS account's permissions but fail with another, or work for reads but not writes, or work for small files but fail for multipart uploads.

Your Cursor-generated application uses SQLite as its database and works fine during development with a single user, but fails with SQLITE_BUSY or "database is locked" errors as soon as multiple users access it simultaneously. Write operations timeout, reads sometimes return stale data, and the app becomes unreliable under any real load.

Cursor frequently chooses SQLite because it's the simplest database to set up — no server to configure, just a file. But SQLite's concurrency model is fundamentally different from PostgreSQL or MySQL. It uses file-level locking, meaning only one write can happen at a time, and readers can block writers depending on the journal mode.

This issue typically surfaces immediately after deploying to production or during load testing when more than a handful of concurrent users interact with the application.

End-to-end tests generated by Cursor using Playwright, Cypress, or Selenium time out during execution. Tests hang waiting for elements that never appear, pages that never load, or network requests that never complete. The tests work sometimes but fail intermittently, making your test suite unreliable and CI pipelines unpredictable.

E2E test flakiness is the number one reason teams abandon automated testing. Cursor generates tests that follow the happy path but don't account for the asynchronous, timing-dependent nature of real browser interactions. The AI writes selectors for elements that may not exist yet, clicks buttons before they're interactive, and asserts content that loads asynchronously.

The result is a test suite that passes locally (where the app is fast) but fails in CI (where resources are limited and the app is slower), or passes 80% of the time and fails randomly on the other 20%.

Tests generated by Cursor use mock data objects that don't match the actual schema of your database models, API responses, or TypeScript interfaces. The mocks have missing required fields, wrong data types, extra properties that don't exist, or outdated schema versions that don't reflect recent changes to your models.

This schema mismatch means tests pass with incorrect data structures, giving false confidence. A test might verify that a function handles a user object correctly, but the mock user is missing the role field that your actual code checks — so the test passes while the real code would fail. Alternatively, tests fail because the mock triggers validation errors from mismatched types.

The problem is insidious because it's not always obvious. Tests may pass for months until a code path that accesses the missing or mistyped field is finally triggered in production.

You asked Cursor to generate unit tests for your code, but the tests fail immediately when you run them. The failures range from import/module resolution errors and incorrect assertions to tests that reference functions or methods that don't exist in your codebase. The tests look plausible but don't actually test your real implementation.

AI-generated tests are one of the most requested features, but they're also one of the most error-prone. Cursor generates tests based on its understanding of your code, but may hallucinate function signatures, assume different export patterns, or use the wrong testing framework syntax. The tests compile but don't accurately reflect your actual code.

Running these failing tests wastes time debugging test code instead of production code, and if you force them to pass by adjusting the tests, you end up with tests that don't actually verify correct behavior.

After Cursor refactored your modal components, modals open but never close. Users are stuck seeing the modal overlay and cannot interact with the page beneath.

Modal state management or close handler was likely broken.

After Cursor refactored your form code, client-side validation was removed. Forms now accept invalid input and submit it to the server, wasting resources and potentially causing errors.

Validation functions or checks were deleted during the refactoring.

After Cursor cleaned up React components, error boundaries were removed. When a component throws an error, the entire application crashes instead of showing a graceful error message.

Error handling is now missing from critical parts of the app.

After Cursor refactored your component code, event listeners are being attached multiple times. Clicking a button fires the handler multiple times, or scroll events fire excessively.

The useEffect cleanup or listener removal logic was broken.

After Cursor reorganized your internationalization (i18n) files, translations are no longer working. Pages display key names instead of translated text, or missing locale files cause errors.

i18n configuration or translation file paths were broken during refactoring.

After Cursor refactored your state management code (Redux, Context, or other), state changes are no longer reflected in the UI. Components aren't updating when state changes.

The state management integration or store configuration may have been broken.

Your application's mobile responsive design stopped working correctly after Cursor refactored the layout components. Mobile views are broken, showing desktop layout at small screen sizes.

Media queries or viewport configuration may have been removed.

CSS styles that were previously applied are no longer working after Cursor reorganized your style files or component structure. Elements appear unstyled despite style rules existing in your CSS files.

The stylesheet is likely not being imported or referenced correctly.

A React component that was previously rendering correctly now fails to display or shows blank/error states after Cursor refactored the component code.

The component may have missing state, incorrect hooks, or broken rendering logic.

Buttons that were previously clickable no longer trigger their onClick handlers after Cursor refactored the component code. Users click buttons but nothing happens.

Event handler binding or attachment may have been broken.

Images that were previously displaying correctly now fail to load after Cursor reorganized your asset or component files. Broken image icons appear where images should be.

Image paths are incorrect after the file move.