Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP0 — correctness, security, data loss, prod-impactingScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP0universalStack: node

securityauthenticationfile-uploadabuse-prevention

Authenticate internal file/upload routes to prevent abuse

Even internal-only file endpoints need an access-control check (shared secret, signed token, or HMAC header), otherwise the service can be hijacked as free file storage.

PR: hegnar-journalist-boost · org-mining-2026-06Created: Jun 17, 2026

Bad example

Old codetypescript

1	`// download/upload route with no auth at all`
2	`export async function GET(req, { params }) {`
3	`return streamFile(params.id);`
4	`}`

Explanation (EN)

Objašnjenje (HR)

Good example

New codetypescript

1	`export async function GET(req, { params }) {`
2	`if (!verifyInternalAuth(req.headers)) {`
3	`return new Response('Unauthorized', { status: 401 });`
4	`}`
5	`return streamFile(params.id);`
6	`}`

Explanation (EN)

Objašnjenje (HR)

Login required