Rules Hub
Coding Rules Library
← Back to all rules
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
backend ruleP1universalStack: node
securityssrapi-key
Guard server-only service methods against client-side execution
Methods that use server secrets (API keys) should detect a browser environment and refuse to run, signalling the misuse clearly.
PR: hegnar-forum-web · org-mining-hist-2026-06Created: Jun 20, 2026
Bad example
Old codetypescript
| 1 | public static async getReports(token) { |
| 2 | const headers = { 'x-api-key': apiKey }; |
| 3 | return fetch(url, { headers }); |
| 4 | } |
Explanation (EN)
Objašnjenje (HR)
Good example
New codetypescript
| 1 | public static async getReports(token) { |
| 2 | if (typeof window !== 'undefined') { |
| 3 | Logger.error('[getReports] is a server-side method, do not call from the client'); |
| 4 | return { statusCode: 403, payload: null }; |
| 5 | } |
| 6 | const headers = { 'x-api-key': apiKey }; |
| 7 | return fetch(url, { headers }); |
| 8 | } |
Explanation (EN)
Objašnjenje (HR)