Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP1 — maintainability, architecture, long-term qualityScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP1universalStack: architecture

securitygovernanceinventoryversionsowasp-api-top10

Maintain API inventory, documentation, and version retirement

Track all API hosts/versions and data flows; retire old deployments and avoid exposing unprotected beta/staging APIs.

Created: Feb 10, 2026

Bad example

Old codets

1	`// No code example: issue is operational.`
2	`// Symptoms:`
3	`// - 'beta.api.example.com' still live`
4	`// - old v1 endpoints not rate-limited`
5	`// - docs out of date`

Explanation (EN)

Undocumented or forgotten API hosts/versions expand the attack surface. Attackers commonly find weaker controls on beta or older endpoints.

Objašnjenje (HR)

Nedokumentirani ili zaboravljeni API hostovi/verzije povećavaju attack surface. Napadači često nađu slabije kontrole na beta ili starim endpointima.

Good example

New codets

1	`// Policy-as-code sketch:`
2	`// - Maintain an inventory list of hosts, environments, and versions`
3	`// - CI fails if a host/version is missing from the inventory`
4	`// - Automated deprecation and retirement timelines`
5
6	`export const API_INVENTORY = [`
7	`{ host: 'api.example.com', env: 'prod', version: 'v3', public: true },`
8	`{ host: 'staging.api.example.com', env: 'staging', version: 'v3', public: false }`
9	`] as const;`

Explanation (EN)

Keep a living inventory of hosts/versions/environments, restrict access to non-prod APIs, auto-generate docs, and enforce retirement plans to reduce exposure.

Objašnjenje (HR)

Drži živu inventuru hostova/verzija/okruženja, ograniči pristup non-prod API-jima, auto-generiraj dokumentaciju i provodi retirement planove da smanjiš izloženost.

Notes (EN)

Also: document auth, errors, redirects, rate limits, CORS, endpoints; generate docs via OpenAPI in CI; avoid prod data in non-prod; apply external protections (WAF/API gateway) to all exposed versions.

Bilješke (HR)

Također: dokumentiraj auth, greške, redirecte, rate limite, CORS, endpoint-e; generiraj docs kroz OpenAPI u CI; izbjegni prod podatke u non-prod; primijeni vanjske zaštite (WAF/API gateway) na sve izložene verzije.

Login required