Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP1 — maintainability, architecture, long-term qualityScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP1universalStack: architecture

securityabuse-preventionrate-limitingbusiness-logicowasp-api-top10

Protect sensitive business flows from automation and abuse

Identify critical workflows (purchase, reservations, referrals, posting) and add anti-automation + per-flow limits.

Created: Feb 10, 2026

Bad example

Old codets

1	`app.post('/checkout/complete', async (req, res) => {`
2	`// BAD: no per-user throttles, no bot detection, no anomaly checks`
3	`const order = await placeOrder(req.auth.userId, req.body.cartId);`
4	`res.json(order);`
5	`});`
6
7	`app.post('/referrals/claim', async (req, res) => {`
8	`// BAD: unlimited referral claims`
9	`const credit = await claimReferral(req.auth.userId, req.body.code);`
10	`res.json({ credit });`
11	`});`

Explanation (EN)

High-value flows without abuse protections can be automated (scalping, spam, reservation hoarding, referral farming) and harm the business even if technical impact is low.

Objašnjenje (HR)

Visokovrijedni flowovi bez zaštite se mogu automatizirati (scalping, spam, rezervacije, referral farming) i štete biznisu iako tehnički utjecaj može biti mali.

Good example

New codets

1	`app.post('/checkout/complete', rateLimitPerUserStrict, async (req, res) => {`
2	`const userId = req.auth.userId;`
3
4	`const ok = await validateCheckoutTimingAndSignals(userId, req);`
5	`if (!ok) return res.status(429).json({ message: 'Too many attempts' });`
6
7	`const order = await placeOrder(userId, req.body.cartId);`
8	`res.json(order);`
9	`});`
10
11	`app.post('/referrals/claim', rateLimitPerUserStrict, async (req, res) => {`
12	`const userId = req.auth.userId;`
13	`const allowed = await enforceReferralCaps(userId);`
14	`if (!allowed) return res.status(403).json({ message: 'Not allowed' });`
15
16	`const credit = await claimReferral(userId, req.body.code);`
17	`res.json({ credit });`
18	`});`

Explanation (EN)

Apply per-flow controls: tighter rate limits, caps/quotas, anomaly detection, and (when appropriate) human verification for high-risk actions.

Objašnjenje (HR)

Primijeni per-flow kontrole: strože rate limite, cap/kvote, anomaly detection i (kad ima smisla) human verification za rizične akcije.

Notes (EN)

Options include device fingerprinting, captcha/biometrics, non-human timing heuristics, IP reputation/Tor blocking, and stricter protection for machine-consumed APIs (B2B/dev).

Bilješke (HR)

Opcije uključuju device fingerprinting, captcha/biometrics, heuristike vremena (non-human), IP reputaciju/Tor blokiranje i strožu zaštitu za API-je koje troše strojevi (B2B/dev).

Login required