Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP0 — correctness, security, data loss, prod-impactingScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

frontend ruleP0universalStack: javascript

securityconfigxssclient

Do not source security-relevant config from mutable window globals

Endpoint URLs and similar values that affect where requests go should not be read from a window global a script could overwrite; pass them through trusted server-rendered state or routes.

PR: frontpage-web · org-mining-hist-2026-06Created: Jun 18, 2026

Bad example

Old codejavascript

1	`// any script can do window.myDomain = 'evil.com'`
2	const url = `${window.myDomain}/newsletter/`;
3	`fetch(url, { method: 'POST', body });`

Explanation (EN)

Objašnjenje (HR)

Good example

New codejavascript

1	`// use a same-origin relative path resolved by infrastructure`
2	`const url = '/api/v2/newsletter/';`
3	`fetch(url, { method: 'POST', body });`

Explanation (EN)

Objašnjenje (HR)

Login required