Rules Hub
Coding Rules Library
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
Limit resource consumption (rate limits, paging, batching, timeouts)
Protect APIs from DoS and cost blowups by enforcing rate limits, pagination caps, batching limits, and execution timeouts.
Bad example
| 1 | app.get('/search', async (req, res) => { |
| 2 | // BAD: unbounded limit |
| 3 | const limit = Number(req.query.limit ?? 1000000); |
| 4 | const items = await db.item.findMany({ take: limit }); |
| 5 | res.json(items); |
| 6 | }); |
| 7 |
|
| 8 | app.post('/graphql', async (req, res) => { |
| 9 | // BAD: allows unbounded batching and expensive operations |
| 10 | const result = await graphqlExecute(req.body); |
| 11 | res.json(result); |
| 12 | }); |
Explanation (EN)
Unbounded pagination and unrestricted batching can starve CPU/memory and create large bills (e.g., SMS/email providers, image processing, storage egress).
Objašnjenje (HR)
Neograničena paginacija i unrestricted batching mogu iscrpiti CPU/memoriju i napraviti velike troškove (npr. SMS/email provideri, obrada slika, egress).
Good example
| 1 | const MAX_PAGE_SIZE = 100; |
| 2 |
|
| 3 | app.get('/search', rateLimitStandard, async (req, res) => { |
| 4 | const requested = Number(req.query.limit ?? 20); |
| 5 | const limit = Number.isFinite(requested) ? Math.min(Math.max(requested, 1), MAX_PAGE_SIZE) : 20; |
| 6 |
|
| 7 | const items = await db.item.findMany({ take: limit }); |
| 8 | res.json(items); |
| 9 | }); |
| 10 |
|
| 11 | app.post('/graphql', rateLimitStandard, async (req, res) => { |
| 12 | // Enforce: max batch size, query depth/complexity, and timeouts |
| 13 | const body = req.body; |
| 14 | if (Array.isArray(body) && body.length > 10) { |
| 15 | return res.status(400).json({ message: 'Batch size too large' }); |
| 16 | } |
| 17 |
|
| 18 | const result = await graphqlExecuteWithLimits(body, { timeoutMs: 3000, maxDepth: 8, maxComplexity: 2000 }); |
| 19 | res.json(result); |
| 20 | }); |
Explanation (EN)
Cap page sizes, validate numeric limits, apply rate limiting, and enforce batching/complexity/timeouts for expensive endpoints (especially GraphQL and media processing).
Objašnjenje (HR)
Ograniči page size, validiraj numeric limite, primijeni rate limiting i provedi batching/complexity/timeout limite za skupe endpoint-e (posebno GraphQL i obradu medija).
Notes (EN)
Also: enforce upload size limits, memory/CPU limits via containers/serverless, per-user/per-operation throttles (OTP, password reset, purchases), and configure third-party spending limits or billing alerts.
Bilješke (HR)
Također: provedi upload size limite, memory/CPU limite kroz containere/serverless, per-user/per-operation throttling (OTP, password reset, kupnje) i postavi spending limite ili billing alarme za third-party servise.