boltCursorSEO, Security & GEO audit for Cursor-built apps

Cursor writes great TypeScript — and still forgets canonical tags, security headers and structured data.

Pantra scans your Cursor-built Next.js app and returns exact file-level fixes: next.config.ts headers, layout.tsx metadata, app/sitemap.ts, app/robots.ts — every prompt tuned for Cursor diffs.

play_arrowRun my auditSee pricing

Why Cursor apps fail SEO out of the box

Cursor typically scaffolds Next.js App Router with reasonable defaults, but the SEO/Security layer is easy to skip. The framework gives you the hooks (metadata export, headers(), middleware) — most Cursor sessions never reach them because the agent stops once the feature works. That leaves canonical tags missing, CSP unset, sitemap.ts absent, and the X-Powered-By header still leaking the framework version.

The 7 Next.js things Cursor forgets — and how to patch them in one diff

  1. 1

    next.config.ts ships without security headers

    Critical

    Cursor almost never adds the async headers() block to next.config.ts. That means no CSP, no HSTS, no X-Frame-Options, no nosniff. A 5-line function fixes all five. Pantra emits the exact function body.

    Copy-paste fix prompt →
  2. 2

    Missing openGraph metadata

    High

    Shareable links look like hot garbage without og:title, og:description and og:image. Next.js makes this trivial — metadata.openGraph in layout.tsx — but Cursor often stops at <title> and <meta description>.

    Copy-paste fix prompt →
  3. 3

    No app/sitemap.ts

    High

    Next.js has first-class support for a typed sitemap (app/sitemap.ts returning MetadataRoute.Sitemap). Cursor rarely generates it. Pantra emits the exact file tailored to your routes.

    Copy-paste fix prompt →
  4. 4

    Bundle creep — Core Web Vitals silently degrade

    Medium

    Every new Cursor session adds another client component, another library, another hook. The First Load JS climbs past 300kb and LCP/INP quietly fall below thresholds. Pantra pulls the live PageSpeed score and flags the specific regressions.

    Copy-paste fix prompt →
  5. 5

    No opengraph-image.tsx

    Medium

    Next.js lets you generate dynamic OG images per route via app/opengraph-image.tsx and ImageResponse. Cursor almost never writes this file — every shared link gets Next.js' default placeholder or nothing at all.

    Copy-paste fix prompt →
  6. 6

    No app/robots.ts (AI crawlers get no signal)

    Medium

    Same story as sitemap — Next.js has app/robots.ts built in. Missing means AI crawlers fall back to their defaults (mostly: do nothing useful). Add four Allow blocks for GPTBot, ClaudeBot, PerplexityBot, Google-Extended.

    Copy-paste fix prompt →
  7. 7

    No JSON-LD structured data

    Medium

    Organization and WebSite schemas belong in the root layout.tsx. Article schema belongs in blog [slug] layouts. Cursor emits none of it out of the box.

    Copy-paste fix prompt →

Frequently asked questions

Does Pantra work with plain Next.js too?expand_more
Yes. Any Next.js App Router site gets the Cursor-style prompts — they are really Next.js prompts. The Cursor flavor is that the language references Cursor chat instructions, but the diffs are framework-level.
How does Pantra know my site was built with Cursor?expand_more
It mostly does not — Cursor leaves no unique marker. Pantra falls back to Cursor prompts when it detects Next.js (x-powered-by: Next.js or Vercel server headers) without any other stack signal, because Cursor is the dominant Next.js AI coder.
Can I paste the prompt into Claude Code or Windsurf instead?expand_more
Yes. Pantra also generates native Claude Code and Windsurf variants — switch stacks on the prompt page and the wording adapts.
Will the audit catch issues in Server Actions?expand_more
Runtime-only bugs need dynamic testing, which is out of scope for a static scan. Pantra catches missing headers, metadata, schema, sitemap, robots, exposed bundle secrets and Supabase RLS — the classes of issues visible from the outside.

Scan your Cursor app now

Pantra runs the full SEO, Security and GEO audit in under 10 seconds and hands back copy-paste prompts tuned for your stack.

Run my audit

Audit other AI coders

v0

SEO, Security & GEO audit for v0 apps

Lovable

SEO, Security & GEO audit for Lovable apps

Bolt

SEO, Security & GEO audit for Bolt.new apps