Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP0 — correctness, security, data loss, prod-impactingScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP0universalStack: architecture

securitytlscorsheadershardeningowasp-api-top10

Avoid security misconfiguration (TLS, headers, CORS, safe errors, hardened defaults)

Harden the entire API stack with consistent configs, minimal surface area, and non-leaky error handling.

Created: Feb 10, 2026

Bad example

Old codets

1	`app.use((err, req, res, next) => {`
2	`// BAD: leaks stack traces and internal details`
3	`res.status(500).json({ message: err.message, stack: err.stack });`
4	`});`
5
6	`// BAD: permissive CORS`
7	`app.use(cors({ origin: '*', credentials: true }));`

Explanation (EN)

Leaky errors, permissive CORS, missing TLS/security headers, and default-enabled features increase the chance of exploitation and data exposure.

Objašnjenje (HR)

Greške koje cure detalje, previše permisivan CORS, izostanak TLS/security headera i default-enabled featurei povećavaju šansu exploit-a i curenja podataka.

Good example

New codets

1	`app.use((err, req, res, next) => {`
2	`// Log internally with correlationId, return generic message`
3	`req.log.error({ err, correlationId: req.correlationId });`
4	`res.status(500).json({ message: 'Internal server error', correlationId: req.correlationId });`
5	`});`
6
7	`app.use(securityHeaders());`
8	`app.use(cors({`
9	`origin: ['https://app.example.com'],`
10	`credentials: true,`
11	`methods: ['GET','POST','PUT','DELETE'],`
12	`allowedHeaders: ['Authorization','Content-Type']`
13	`}));`

Explanation (EN)

Return non-sensitive errors, configure CORS narrowly, enable security headers, and enforce TLS end-to-end. Disable unnecessary methods/features and keep dependencies patched.

Objašnjenje (HR)

Vrati neosjetljive greške, suzi CORS, uključi security headere i forsiraj TLS end-to-end. Isključi nepotrebne metode/featuree i drži dependencyje ažurnima.

Notes (EN)

Also: ensure uniform request handling across proxies (prevent desync), set Cache-Control for private data, restrict content types, validate response schemas (including errors), and keep environments hardened and repeatable via automation.

Bilješke (HR)

Također: osiguraj uniformno procesiranje kroz proxy chain (spriječi desync), postavi Cache-Control za privatne podatke, ograniči content type, validiraj response schema (uključujući greške) i drži okruženja hardened i ponovljiva kroz automatizaciju.

Login required