Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP2 — style, consistency, readabilityScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP2universalStack: node

securityurl-buildingsecretsclean-codehttp

Don't bake credential placeholders into URLs returned to clients

Avoid appending hardcoded token/auth placeholders to URLs you construct and return; keep credentials out of returned/display URLs.

PR: startsiden/hegnar-articletag-service#13Created: Jun 17, 2026

Bad example

Old codets

1	`const params = new URLSearchParams();`
2	`params.append("auth_token", "<YOUR_TOKEN>"); // hardcoded credential placeholder`
3	`params.append("name", name);`
4	const searchUrl = `${drLibUrl}?${params.toString()}`;
5	`res.json({ tags, searchUrl });`

Explanation (EN)

Embedding a credential param — even a placeholder — into a URL you build and return mixes the auth dimension into a display artifact, invites copy-paste of real tokens into query strings (where they get logged), and reads as accidental rather than intentional.

Objašnjenje (HR)

Ugradnja parametra s vjerodajnicom — cak i rezerviranog mjesta — u URL koji gradis i vracas mijesa autentikaciju s prikaznim artefaktom, potice kopiranje stvarnih tokena u query string (gdje se logiraju) i djeluje slucajno umjesto namjerno.

Good example

New codets

1	`// Return only the query-relevant link; document separately that the caller adds their own token.`
2	`const params = new URLSearchParams({ name });`
3	const searchUrl = `${drLibUrl}?${params.toString()}`;
4	`res.json({ tags, searchUrl, note: "Append your own auth_token to call this URL directly." });`

Explanation (EN)

Keep the constructed URL free of credential params and explain in documentation/response metadata how the caller supplies their own token. Tokens belong in headers, not in URLs that get logged or shared.

Objašnjenje (HR)

Drzi izgradeni URL bez parametara s vjerodajnicama i objasni u dokumentaciji/metapodacima odgovora kako pozivatelj dodaje vlastiti token. Tokeni pripadaju u zaglavlja, a ne u URL-ove koji se logiraju ili dijele.

Exceptions / Tradeoffs (EN)

A documentation/example link clearly labelled as a template (e.g. in API docs) may show a placeholder, but it should not be assembled inside live request-handling code paths.

Iznimke / Tradeoffi (HR)

Dokumentacijski/primjer link jasno oznacen kao predlozak (npr. u API dokumentaciji) moze prikazati rezervirano mjesto, ali ne bi se trebao sastavljati unutar zive logike obrade zahtjeva.

Login required